[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo

Nathan Stratton Treadway ubuntu.lp at nathanst.com
Fri Sep 24 17:46:25 BST 2010

On Wed, Sep 22, 2010 at 22:26:31 -0000, greenmoss wrote:
> My bug 509734 was marked as a duplicate of this one. This was a special
> case using the atd job scheduler. At jobs launched by ldap users worked,
> but at jobs launched by root did *not* work. atd was doing a group
> lookup, and nss was dropping privileges, thus breaking root-launched at

Yeah, I found this behavior on in my test machine (where I'm
running Lucid), too.

Based on the discussion earlier in this bug (423252), I did some
testing of the behavior of "atd" with various combinations of
libpam/nss-ldap, nscd, and libpam/nss-ldapd.

As greenmoss found, when I was running with libpam/nss-ldap and
no nscd (and didn't have any of the users in question listed in
the "ignoreusers" line), my "at" commands worked for LDAP users
but not for ones defined in /etc/passwd.  (When an LDAP user
attempted to run an "at" command, the following syslog message
would appear:
  atd[<PID>]: Cannot delete saved userids: Operation not permitted

However, I found that when nscd was running... the situation was
reversed: "at" commands did work for LDAP-defined users, but not
for /etc/passwd-defined ones (and attempts to use "at" as one of
those users would cause the same error message as above to show
up in the syslog).

When I had libpam/nss-ldapd installed (with or without nscd),
the "at" command worked fine for both types of users.

> jobs. To work around this, I added the following line to my
> /etc/ldap.conf:
> nss_initgroups_ignoreusers  <users>
> where <users> is the list of local non-ldap users, particularly root!

In the "libpam/nss-ldap, no nscd" case, this also worked in my
tests; listing the /etc/passwd-defined user in the ignoreusers
line did allow "at" to work for that user (and it continued to
work for the LDAP-defined user as well).

Interestingly, this change did NOT help in the "libpam/nss-ldap,
with nscd" case -- even with LDAP username listed in the
ignoreusers line, when I tried to run "at" as the LDAP-defined
user, the command still failed and "atd" still generated the
same syslog error message....

(libpam/nss-ldapd does not reference the /etc/ldapd.conf file,
so the ignoreusers line doesn't affect that test case.)

[For what it's worth, I tested "cron" using those same
combinations of NSS/PAM resolution libraries but didn't find any
situation where it failed...]


NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

More information about the Ubuntu-server-bugs mailing list