libgcrypt

Bug #423252
Comment #109

Comment 109 for bug 423252

Revision history for this message

Boian Mihailov (boian-mihailov) wrote on 2011-10-04: Re: [Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd

#109

Thanks a lot, works like a charm. I wish i could be of any help to
you, saved me a lot of time.

2011/10/4 cdmiller <email address hidden>:
> Just a follow up to #106. We have been running with the libgcrypt11
> patch from #73 with a couple thousand openldap and AD users using
> Apache2/phpsuexec on Lucid 10.04.2 64 bit for months now with no
> troubles.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/423252
>
> Title:
> NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2
> suexec, and atd
>
> Status in Release Notes for Ubuntu:
> Fix Released
> Status in “eglibc” package in Ubuntu:
> Invalid
> Status in “libgcrypt11” package in Ubuntu:
> Confirmed
> Status in “libnss-ldap” package in Ubuntu:
> Invalid
> Status in “sudo” package in Ubuntu:
> Invalid
> Status in “eglibc” source package in Lucid:
> Invalid
> Status in “libgcrypt11” source package in Lucid:
> Confirmed
> Status in “libnss-ldap” source package in Lucid:
> Invalid
> Status in “sudo” source package in Lucid:
> Invalid
> Status in “eglibc” source package in Maverick:
> Invalid
> Status in “libgcrypt11” source package in Maverick:
> Confirmed
> Status in “libnss-ldap” source package in Maverick:
> Confirmed
> Status in “sudo” source package in Maverick:
> Invalid
> Status in “eglibc” source package in Karmic:
> Invalid
> Status in “libgcrypt11” source package in Karmic:
> Won't Fix
> Status in “libnss-ldap” source package in Karmic:
> Invalid
> Status in “sudo” source package in Karmic:
> Invalid
> Status in “libgcrypt11” package in Debian:
> Confirmed
> Status in “sudo” package in Debian:
> Confirmed
> Status in “sudo” package in Kairos Linux:
> Confirmed
>
> Bug description:
> On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd'
> field to anything with 'ldap' as the first item breaks the ability to
> become root using 'su' and 'sudo' as anyone but root.
>
> Default nsswitch.conf:
>
> passwd: compat
> group: compat
> shadow: compat
>
> matt@box:~$ sudo uname -a
> [sudo] password for matt:
> Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux
>
> matt@box:~$ su -
> Password:
> root@box:~#
>
> Modified nsswitch.conf with 'ldap' before 'compat':
>
> passwd: ldap compat
> group: ldap compat
> shadow: ldap compat
>
> matt@box:~$ sudo uname -a
> sudo: setreuid(ROOT_UID, user_uid): Operation not permitted
>
> matt@box:~$ su -
> Password:
> setgid: Operation not permitted
>
> Modified nsswitch.conf with 'ldap' after 'compat':
>
> passwd: compat ldap
> group: compat ldap
> shadow: compat ldap
>
> matt@box:~$ sudo uname -a
> [sudo] password for matt:
> Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux
>
> matt@box:~$ su -
> Password:
> root@box:~#
>
> The same arrangements in nsswitch.conf work as expected in Jaunty and
> earlier releases.
>
> Lucid Release Note:
>
> == NSS via LDAP+SSL breaks setuid applications like sudo ==
>
> Upgrading systems configured to use ldap over ssl as the first service
> in the nss stack (in nsswitch.conf) leads to a broken nss resolution
> for setuid applications after the upgrade to Lucid (for example sudo
> would stop working). There isn't any simple workaround for now. One
> option is to switch to libnss-ldapd in place of libnss-ldap before the
> upgrade. Another one consists in using nscd before the upgrade.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions
>

Thanks a lot, works like a charm. I wish i could be of any help to
you, saved me a lot of time.

2011/10/4 cdmiller <cdmiller@adams.edu>:
> Just a follow up to #106.  We have been running with the libgcrypt11
> patch from #73 with a couple thousand openldap and AD users using
> Apache2/phpsuexec on Lucid 10.04.2 64 bit for months now with no
> troubles.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/423252
>
> Title:
>  NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2
>  suexec, and atd
>
> Status in Release Notes for Ubuntu:
>  Fix Released
> Status in “eglibc” package in Ubuntu:
>  Invalid
> Status in “libgcrypt11” package in Ubuntu:
>  Confirmed
> Status in “libnss-ldap” package in Ubuntu:
>  Invalid
> Status in “sudo” package in Ubuntu:
>  Invalid
> Status in “eglibc” source package in Lucid:
>  Invalid
> Status in “libgcrypt11” source package in Lucid:
>  Confirmed
> Status in “libnss-ldap” source package in Lucid:
>  Invalid
> Status in “sudo” source package in Lucid:
>  Invalid
> Status in “eglibc” source package in Maverick:
>  Invalid
> Status in “libgcrypt11” source package in Maverick:
>  Confirmed
> Status in “libnss-ldap” source package in Maverick:
>  Confirmed
> Status in “sudo” source package in Maverick:
>  Invalid
> Status in “eglibc” source package in Karmic:
>  Invalid
> Status in “libgcrypt11” source package in Karmic:
>  Won't Fix
> Status in “libnss-ldap” source package in Karmic:
>  Invalid
> Status in “sudo” source package in Karmic:
>  Invalid
> Status in “libgcrypt11” package in Debian:
>  Confirmed
> Status in “sudo” package in Debian:
>  Confirmed
> Status in “sudo” package in Kairos Linux:
>  Confirmed
>
> Bug description:
>  On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd'
>  field to anything with 'ldap' as the first item breaks the ability to
>  become root using 'su' and 'sudo' as anyone but root.
>
>  Default nsswitch.conf:
>
>  passwd:         compat
>  group:          compat
>  shadow:         compat
>
>  matt@box:~$ sudo uname -a
>  [sudo] password for matt:
>  Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux
>
>  matt@box:~$ su -
>  Password:
>  root@box:~#
>
>  Modified nsswitch.conf with 'ldap' before 'compat':
>
>  passwd:         ldap compat
>  group:          ldap compat
>  shadow:         ldap compat
>
>  matt@box:~$ sudo uname -a
>  sudo: setreuid(ROOT_UID, user_uid): Operation not permitted
>
>  matt@box:~$ su -
>  Password:
>  setgid: Operation not permitted
>
>  Modified nsswitch.conf with 'ldap' after 'compat':
>
>  passwd:         compat ldap
>  group:          compat ldap
>  shadow:         compat ldap
>
>  matt@box:~$ sudo uname -a
>  [sudo] password for matt:
>  Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux
>
>  matt@box:~$ su -
>  Password:
>  root@box:~#
>
>  The same arrangements in nsswitch.conf work as expected in Jaunty and
>  earlier releases.
>
>  Lucid Release Note:
>
>  == NSS via LDAP+SSL breaks setuid applications like sudo ==
>
>  Upgrading systems configured to use ldap over ssl as the first service
>  in the nss stack (in nsswitch.conf) leads to a broken nss resolution
>  for setuid applications after the upgrade to Lucid (for example sudo
>  would stop working). There isn't any simple workaround for now. One
>  option is to switch to libnss-ldapd in place of libnss-ldap before the
>  upgrade. Another one consists in using nscd before the upgrade.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions
>