[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd

Boian Mihailov 423252 at bugs.launchpad.net
Tue Oct 4 14:56:10 UTC 2011 

Thanks a lot, works like a charm. I wish i could be of any help to
you, saved me a lot of time.

2011/10/4 cdmiller <cdmiller at adams.edu>:
> Just a follow up to #106.  We have been running with the libgcrypt11
> patch from #73 with a couple thousand openldap and AD users using
> Apache2/phpsuexec on Lucid 10.04.2 64 bit for months now with no
> troubles.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/423252
>
> Title:
>  NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2
>  suexec, and atd
>
> Status in Release Notes for Ubuntu:
>  Fix Released
> Status in “eglibc” package in Ubuntu:
>  Invalid
> Status in “libgcrypt11” package in Ubuntu:
>  Confirmed
> Status in “libnss-ldap” package in Ubuntu:
>  Invalid
> Status in “sudo” package in Ubuntu:
>  Invalid
> Status in “eglibc” source package in Lucid:
>  Invalid
> Status in “libgcrypt11” source package in Lucid:
>  Confirmed
> Status in “libnss-ldap” source package in Lucid:
>  Invalid
> Status in “sudo” source package in Lucid:
>  Invalid
> Status in “eglibc” source package in Maverick:
>  Invalid
> Status in “libgcrypt11” source package in Maverick:
>  Confirmed
> Status in “libnss-ldap” source package in Maverick:
>  Confirmed
> Status in “sudo” source package in Maverick:
>  Invalid
> Status in “eglibc” source package in Karmic:
>  Invalid
> Status in “libgcrypt11” source package in Karmic:
>  Won't Fix
> Status in “libnss-ldap” source package in Karmic:
>  Invalid
> Status in “sudo” source package in Karmic:
>  Invalid
> Status in “libgcrypt11” package in Debian:
>  Confirmed
> Status in “sudo” package in Debian:
>  Confirmed
> Status in “sudo” package in Kairos Linux:
>  Confirmed
>
> Bug description:
>  On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd'
>  field to anything with 'ldap' as the first item breaks the ability to
>  become root using 'su' and 'sudo' as anyone but root.
>
>  Default nsswitch.conf:
>
>  passwd:         compat
>  group:          compat
>  shadow:         compat
>
>  matt at box:~$ sudo uname -a
>  [sudo] password for matt:
>  Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux
>
>  matt at box:~$ su -
>  Password:
>  root at box:~#
>
>  Modified nsswitch.conf with 'ldap' before 'compat':
>
>  passwd:         ldap compat
>  group:          ldap compat
>  shadow:         ldap compat
>
>  matt at box:~$ sudo uname -a
>  sudo: setreuid(ROOT_UID, user_uid): Operation not permitted
>
>  matt at box:~$ su -
>  Password:
>  setgid: Operation not permitted
>
>  Modified nsswitch.conf with 'ldap' after 'compat':
>
>  passwd:         compat ldap
>  group:          compat ldap
>  shadow:         compat ldap
>
>  matt at box:~$ sudo uname -a
>  [sudo] password for matt:
>  Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux
>
>  matt at box:~$ su -
>  Password:
>  root at box:~#
>
>  The same arrangements in nsswitch.conf work as expected in Jaunty and
>  earlier releases.
>
>  Lucid Release Note:
>
>  == NSS via LDAP+SSL breaks setuid applications like sudo ==
>
>  Upgrading systems configured to use ldap over ssl as the first service
>  in the nss stack (in nsswitch.conf) leads to a broken nss resolution
>  for setuid applications after the upgrade to Lucid (for example sudo
>  would stop working). There isn't any simple workaround for now. One
>  option is to switch to libnss-ldapd in place of libnss-ldap before the
>  upgrade. Another one consists in using nscd before the upgrade.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions
>

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in Ubuntu.
https://bugs.launchpad.net/bugs/423252

Title:
  NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2
  suexec, and atd

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions

More information about the Ubuntu-server-bugs mailing list