Package: gnutls26 Version: libgnutls26 Severity: important Dear Maintainer,
If your account is an LDAP one and your LDAP client connects to its LDAP server via SSL then running setuid programs from your account fail since libgcrypt11 is horribly broken and upstream GnuTLS no longer recommends using it as the backend crypto library: http://lists.debian.org/debian-legal/2011/02/msg00006.html In the past it was possible to work around this by using nscd but that work around no longer has any effect. When I rebuild gnutls26 with nettle I am able to use setuid binaries from my LDAP account which connects via SSL to its LDAP server. Reproducing: 1. Install an OpenLDAP server that speaks LDAP over SSL. 2. Install Debian Testing or Unstable and configure it to be an LDAP client that connects via to its LDAP server via SSL. 3. Log into the Debian system created in step using an LDAP account not an account in /etc/passwd. 4. Attempt to use sudo. You will see unexpected results: $ sudo id [sudo] password for user: sudo: setresuid(ROOT_UID, ROOT_UID, ROOT_UID): Operation not permitted sudo: unable to open /var/lib/sudo/user/1: Operation not permitted sudo: unable to set gid to runas gid 0: Operation not permitted sudo: unable to execute /usr/bin/id: Operation not permitted $ 5. Attempt to use sudo. You will see expected results: $ sudo id [sudo] password for user: uid=0(root) gid=0(root) groups=0(root) See also: https://bugs.launchpad.net/bugs/926350 -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-1-amd64 (SMP w/3 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org