[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo

bl8n8r 423252 at bugs.launchpad.net
Thu Aug 19 19:02:02 BST 2010 

nslcd is a fail on lucid for me.  Trying to start from upstart fails.
Running it by hand in debug mode works but when trying to su from one
LDAP user to another it again fails:

# service nslcd start
 * Starting LDAP connection daemon nslcd      nslcd: unable to daemonize: No such device
     
Seems to work in debug mode
# /usr/sbin/nslcd -d
nslcd: DEBUG: add_uri(ldaps://10.xx.xx.xx)
nslcd: DEBUG: add_uri(ldaps://10.xx.xx.xxx)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,0)
nslcd: version 0.7.2 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(126) done
nslcd: DEBUG: setuid(117) done
nslcd: accepting connections


When I try to su to another user however, more fail:
[2]# sudo -u nslcd  nslcd -d
nslcd: DEBUG: add_uri(ldaps://10.12.51.165)
nslcd: DEBUG: add_uri(ldaps://10.14.13.250)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,0)
nslcd: version 0.7.2 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: cannot setgroups(0,NULL) (ignored): Operation not permitted
nslcd: DEBUG: setgid(126) done
nslcd: DEBUG: setuid(117) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=13359 uid=0 gid=1000
nslcd: [8b4567] DEBUG: nslcd_passwd_byname(user333)
nslcd: [8b4567] DEBUG: myldap_search(base="ou=HDA,ou=DC,o=FMW", filter="(&(objectClass=posixAccount)(uid=user333))")
nslcd: [8b4567] DEBUG: ldap_initialize(ldaps://10.12.51.165)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [8b4567] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://10.12.51.165")
nslcd: [8b4567] connected to LDAP server ldaps://10.12.51.165
nslcd: [8b4567] DEBUG: ldap_result(): end of results
nslcd: [7b23c6] DEBUG: connection from pid=13359 uid=0 gid=1000
nslcd: [7b23c6] DEBUG: nslcd_passwd_byname(user333)
nslcd: [7b23c6] DEBUG: myldap_search(base="ou=HDA,ou=DC,o=FMW", filter="(&(objectClass=posixAccount)(uid=user333))")
nslcd: [7b23c6] DEBUG: ldap_initialize(ldaps://10.12.51.165)
nslcd: [7b23c6] DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [7b23c6] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://10.12.51.165")
nslcd: [7b23c6] connected to LDAP server ldaps://10.12.51.165
nslcd: [7b23c6] DEBUG: ldap_result(): end of results
nslcd: [3c9869] DEBUG: connection from pid=13359 uid=1000 gid=1000
nslcd: [3c9869] DEBUG: nslcd_passwd_byname(user333)
nslcd: [3c9869] DEBUG: myldap_search(base="ou=HDA,ou=DC,o=FMW", filter="(&(objectClass=posixAccount)(uid=user333))")
nslcd: [3c9869] DEBUG: ldap_initialize(ldaps://10.12.51.165)
nslcd: [3c9869] DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [3c9869] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://10.12.51.165")
nslcd: [3c9869] connected to LDAP server ldaps://10.12.51.165
nslcd: [3c9869] DEBUG: ldap_result(): end of results
                        
                                 output of below command ^^^^^^^^^^^^^^^^^^^^^^^^^^
$ su - user333
Password: 
setgid: Operation not permitted

-- 
NSS using LDAP+SSL breaks setuid applications like su and sudo
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

More information about the Ubuntu-server-bugs mailing list