Package: libnss-ldap,libldap-2.4-2 Version: libnss-ldap/264-2.1 Version: libldap-2.4-2/2.4.17-2.1
Hi, libgcrypt11 has the "feature" of changing the real uid if it differs from the effective user id and the effective user id is 0 [1]. This comes from a time when programs had to be setuid root in order to use mlock() to protect memory containing private keys. This means that setuid applications using nss-ldap with a SSL connection will lose their elevated privileges (unless a daemon such as nscd is used). Thus applications like su, sudo, at, ... do longer work correctly. Sadly upstream seems to consider this side effect in libgcrypt a feature and seems not willing to change it. One way to solve this problem would having a separate libldap package that links against OpenSSL [2] and could be used by libraries such as libnss-ldap. Regards, Ansgar [1] <http://bugs.debian.org/566351> <https://bugs.launchpad.net/bugs/423252> [2] I understand that the package uses GnuTLS/gcrypt to be GPL-compatible, so this would be in addition to the present package. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org