Package: nslcd
Version: 0.8.12-1
Severity: normal
nslcd only allows processes with UID==0 (as determined by credentials
passed over its UNIX domain socket) to query the shadow database.
This check is enforced by lines 449-452 of nslcd/nslcd.c:
case NSLCD_ACTION_SHADOW_BYNAME: if (uid==0)
(void)nslcd_shadow_byname(fp,session);
else log_log(LOG_DEBUG,"denied shadow
request by non-root user"); break;
case NSLCD_ACTION_SHADOW_ALL: if (uid==0)
(void)nslcd_shadow_all(fp,session);
else log_log(LOG_DEBUG,"denied shadow
request by non-root user"); break;
This is a problem because it means non-root processes, in particular
processes with GID shadow, are unable to authenticate against LDAP
via PAM. Although pam_authenticate() succeeds (since it works by
attempting an LDAP bind with the user's password), pam_acct_mgmt(),
which needs to consult the shadow database for the password expiration
fields, fails. This breaks a popular paradigm in Debian, which is to use
a setgid-shadow binary to allow non-root services to authenticate with PAM
(since the shadow group has read access to /etc/shadow). For example, the
pwauth package installs the pwauth binary setgid-shadow, and ejabberd's
README.Debian file advises administrators to use dpkg-statoverride
to make ejabberd's epam binary setgid-shadow. (Actually, ejabberd's
README.Debian erroneously states that if you're using PAM+LDAP, no
elevation of privileges is needed at all.)
It's understandable why nslcd would want to restrict access to the
shadow database, but in many LDAP environments this is an unnecessary
restriction: if the LDAP server doesn't allow the userPassword attribute
to be read, any user (root or otherwise) who queries the shadow database
would see only '*' for the password hash.
This behavior also makes libnss-ldapd inconsistent with libnss-ldap.
With libnss-ldap, any user is allowed to query the shadow database
(but of course sees only '*' for the password if the LDAP server is
properly configured).
It would therefore be nice if this restriction were configurable, or if
the restriction could be loosened to also permit processes with GID shadow
(making it analogous to the permissions on /etc/shadow).
Note that the versions of nslcd in squeeze and wheezy are also affected
by this.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
