--On Thursday, April 29, 2010 10:36 PM +0900 Ansgar Burchardt
<ans...@43-1.org> wrote:
Package: libnss-ldap,libldap-2.4-2
Version: libnss-ldap/264-2.1
Version: libldap-2.4-2/2.4.17-2.1
Hi,
libgcrypt11 has the "feature" of changing the real uid if it differs
from the effective user id and the effective user id is 0 [1]. This
comes from a time when programs had to be setuid root in order to use
mlock() to protect memory containing private keys.
This means that setuid applications using nss-ldap with a SSL connection
will lose their elevated privileges (unless a daemon such as nscd is
used). Thus applications like su, sudo, at, ... do longer work
correctly. Sadly upstream seems to consider this side effect in
libgcrypt a feature and seems not willing to change it.
One way to solve this problem would having a separate libldap package
that links against OpenSSL [2] and could be used by libraries such as
libnss-ldap.
Or Debian could use nss-ldapd with nslcd, and not have to introduce OpenSSL
at all. Long term, it would of course be best to use the slapo-nssov
overlay.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
