libgcrypt

Bug #423252
Comment #95

Comment 95 for bug 423252

Revision history for this message

bl8n8r (bl8n8r-gmail) wrote on 2010-08-19: Re: NSS using LDAP+SSL breaks setuid applications like su and sudo

#95

nslcd is a fail on lucid for me. Trying to start from upstart fails. Running it by hand in debug mode works but when trying to su from one LDAP user to another it again fails:

# service nslcd start
* Starting LDAP connection daemon nslcd nslcd: unable to daemonize: No such device

Seems to work in debug mode
# /usr/sbin/nslcd -d
nslcd: DEBUG: add_uri(ldaps://10.xx.xx.xx)
nslcd: DEBUG: add_uri(ldaps://10.xx.xx.xxx)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,0)
nslcd: version 0.7.2 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(126) done
nslcd: DEBUG: setuid(117) done
nslcd: accepting connections

When I try to su to another user however, more fail:
[2]# sudo -u nslcd nslcd -d
nslcd: DEBUG: add_uri(ldaps://10.12.51.165)
nslcd: DEBUG: add_uri(ldaps://10.14.13.250)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,0)
nslcd: version 0.7.2 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: cannot setgroups(0,NULL) (ignored): Operation not permitted
nslcd: DEBUG: setgid(126) done
nslcd: DEBUG: setuid(117) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=13359 uid=0 gid=1000
nslcd: [8b4567] DEBUG: nslcd_passwd_byname(user333)
nslcd: [8b4567] DEBUG: myldap_search(base="ou=HDA,ou=DC,o=FMW", filter="(&(objectClass=posixAccount)(uid=user333))")
nslcd: [8b4567] DEBUG: ldap_initialize(ldaps://10.12.51.165)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [8b4567] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://10.12.51.165")
nslcd: [8b4567] connected to LDAP server ldaps://10.12.51.165
nslcd: [8b4567] DEBUG: ldap_result(): end of results
nslcd: [7b23c6] DEBUG: connection from pid=13359 uid=0 gid=1000
nslcd: [7b23c6] DEBUG: nslcd_passwd_byname(user333)
nslcd: [7b23c6] DEBUG: myldap_search(base="ou=HDA,ou=DC,o=FMW", filter="(&(objectClass=posixAccount)(uid=user333))")
nslcd: [7b23c6] DEBUG: ldap_initialize(ldaps://10.12.51.165)
nslcd: [7b23c6] DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [7b23c6] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://10.12.51.165")
nslcd: [7b23c6] connected to LDAP server ldaps://10.12.51.165
nslcd: [7b23c6] DEBUG: ldap_result(): end of results
nslcd: [3c9869] DEBUG: connection from pid=13359 uid=1000 gid=1000
nslcd: [3c9869] DEBUG: nslcd_passwd_byname(user333)
nslcd: [3c9869] DEBUG: myldap_search(base="ou=HDA,ou=DC,o=FMW", filter="(&(objectClass=posixAccount)(uid=user333))")
nslcd: [3c9869] DEBUG: ldap_initialize(ldaps://10.12.51.165)
nslcd: [3c9869] DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [3c9869] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://10.12.51.165")
nslcd: [3c9869] connected to LDAP server ldaps://10.12.51.165
nslcd: [3c9869] DEBUG: ldap_result(): end of results

output of below command ^^^^^^^^^^^^^^^^^^^^^^^^^^
$ su - user333
Password:
setgid: Operation not permitted

nslcd is a fail on lucid for me.  Trying to start from upstart fails.  Running it by hand in debug mode works but when trying to su from one LDAP user to another it again fails:

# service nslcd start
 * Starting LDAP connection daemon nslcd      nslcd: unable to daemonize: No such device
     
Seems to work in debug mode
# /usr/sbin/nslcd -d
nslcd: DEBUG: add_uri(ldaps://10.xx.xx.xx)
nslcd: DEBUG: add_uri(ldaps://10.xx.xx.xxx)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,0)
nslcd: version 0.7.2 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(126) done
nslcd: DEBUG: setuid(117) done
nslcd: accepting connections

When I try to su to another user however, more fail:
[2]# sudo -u nslcd  nslcd -d
nslcd: DEBUG: add_uri(ldaps://10.12.51.165)
nslcd: DEBUG: add_uri(ldaps://10.14.13.250)
nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,0)
nslcd: version 0.7.2 starting
nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory
nslcd: cannot setgroups(0,NULL) (ignored): Operation not permitted
nslcd: DEBUG: setgid(126) done
nslcd: DEBUG: setuid(117) done
nslcd: accepting connections
nslcd: [8b4567] DEBUG: connection from pid=13359 uid=0 gid=1000
nslcd: [8b4567] DEBUG: nslcd_passwd_byname(user333)
nslcd: [8b4567] DEBUG: myldap_search(base="ou=HDA,ou=DC,o=FMW", filter="(&(objectClass=posixAccount)(uid=user333))")
nslcd: [8b4567] DEBUG: ldap_initialize(ldaps://10.12.51.165)
nslcd: [8b4567] DEBUG: ldap_set_rebind_proc()
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [8b4567] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://10.12.51.165")
nslcd: [8b4567] connected to LDAP server ldaps://10.12.51.165
nslcd: [8b4567] DEBUG: ldap_result(): end of results
nslcd: [7b23c6] DEBUG: connection from pid=13359 uid=0 gid=1000
nslcd: [7b23c6] DEBUG: nslcd_passwd_byname(user333)
nslcd: [7b23c6] DEBUG: myldap_search(base="ou=HDA,ou=DC,o=FMW", filter="(&(objectClass=posixAccount)(uid=user333))")
nslcd: [7b23c6] DEBUG: ldap_initialize(ldaps://10.12.51.165)
nslcd: [7b23c6] DEBUG: ldap_set_rebind_proc()
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [7b23c6] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://10.12.51.165")
nslcd: [7b23c6] connected to LDAP server ldaps://10.12.51.165
nslcd: [7b23c6] DEBUG: ldap_result(): end of results
nslcd: [3c9869] DEBUG: connection from pid=13359 uid=1000 gid=1000
nslcd: [3c9869] DEBUG: nslcd_passwd_byname(user333)
nslcd: [3c9869] DEBUG: myldap_search(base="ou=HDA,ou=DC,o=FMW", filter="(&(objectClass=posixAccount)(uid=user333))")
nslcd: [3c9869] DEBUG: ldap_initialize(ldaps://10.12.51.165)
nslcd: [3c9869] DEBUG: ldap_set_rebind_proc()
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [3c9869] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldaps://10.12.51.165")
nslcd: [3c9869] connected to LDAP server ldaps://10.12.51.165
nslcd: [3c9869] DEBUG: ldap_result(): end of results
                        
                                 output of below command ^^^^^^^^^^^^^^^^^^^^^^^^^^
$ su - user333
Password: 
setgid: Operation not permitted