[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Boian Mihailov
423252 at bugs.launchpad.net
Tue Oct 4 14:56:10 UTC 2011
Thanks a lot, works like a charm. I wish i could be of any help to
you, saved me a lot of time.
2011/10/4 cdmiller <cdmiller at adams.edu>:
> Just a follow up to #106. We have been running with the libgcrypt11
> patch from #73 with a couple thousand openldap and AD users using
> Apache2/phpsuexec on Lucid 10.04.2 64 bit for months now with no
> troubles.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/423252
>
> Title:
> NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2
> suexec, and atd
>
> Status in Release Notes for Ubuntu:
> Fix Released
> Status in “eglibc” package in Ubuntu:
> Invalid
> Status in “libgcrypt11” package in Ubuntu:
> Confirmed
> Status in “libnss-ldap” package in Ubuntu:
> Invalid
> Status in “sudo” package in Ubuntu:
> Invalid
> Status in “eglibc” source package in Lucid:
> Invalid
> Status in “libgcrypt11” source package in Lucid:
> Confirmed
> Status in “libnss-ldap” source package in Lucid:
> Invalid
> Status in “sudo” source package in Lucid:
> Invalid
> Status in “eglibc” source package in Maverick:
> Invalid
> Status in “libgcrypt11” source package in Maverick:
> Confirmed
> Status in “libnss-ldap” source package in Maverick:
> Confirmed
> Status in “sudo” source package in Maverick:
> Invalid
> Status in “eglibc” source package in Karmic:
> Invalid
> Status in “libgcrypt11” source package in Karmic:
> Won't Fix
> Status in “libnss-ldap” source package in Karmic:
> Invalid
> Status in “sudo” source package in Karmic:
> Invalid
> Status in “libgcrypt11” package in Debian:
> Confirmed
> Status in “sudo” package in Debian:
> Confirmed
> Status in “sudo” package in Kairos Linux:
> Confirmed
>
> Bug description:
> On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd'
> field to anything with 'ldap' as the first item breaks the ability to
> become root using 'su' and 'sudo' as anyone but root.
>
> Default nsswitch.conf:
>
> passwd: compat
> group: compat
> shadow: compat
>
> matt at box:~$ sudo uname -a
> [sudo] password for matt:
> Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux
>
> matt at box:~$ su -
> Password:
> root at box:~#
>
> Modified nsswitch.conf with 'ldap' before 'compat':
>
> passwd: ldap compat
> group: ldap compat
> shadow: ldap compat
>
> matt at box:~$ sudo uname -a
> sudo: setreuid(ROOT_UID, user_uid): Operation not permitted
>
> matt at box:~$ su -
> Password:
> setgid: Operation not permitted
>
> Modified nsswitch.conf with 'ldap' after 'compat':
>
> passwd: compat ldap
> group: compat ldap
> shadow: compat ldap
>
> matt at box:~$ sudo uname -a
> [sudo] password for matt:
> Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux
>
> matt at box:~$ su -
> Password:
> root at box:~#
>
> The same arrangements in nsswitch.conf work as expected in Jaunty and
> earlier releases.
>
> Lucid Release Note:
>
> == NSS via LDAP+SSL breaks setuid applications like sudo ==
>
> Upgrading systems configured to use ldap over ssl as the first service
> in the nss stack (in nsswitch.conf) leads to a broken nss resolution
> for setuid applications after the upgrade to Lucid (for example sudo
> would stop working). There isn't any simple workaround for now. One
> option is to switch to libnss-ldapd in place of libnss-ldap before the
> upgrade. Another one consists in using nscd before the upgrade.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions
>
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/423252
Title:
NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2
suexec, and atd
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions
More information about the Ubuntu-server-bugs
mailing list