** Bug watch added: Debian Bug tracker #566351
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566351
** Changed in: libgcrypt11 (Debian)
Status: Fix Released => Unknown
** Changed in: libgcrypt11 (Debian)
Remote watch: Debian Bug tracker #368297 => Debian Bug tracker #566351
** Package changed: gnutls26 (Debian) => ubuntu-translations
** Changed in: ubuntu-translations
Importance: Unknown => Undecided
** Changed in: ubuntu-translations
Status: Fix Released => New
** Changed in: ubuntu-translations
Remote watch: Debian Bug tracker #658739 => None
** No longer affects: ubuntu-translations
** Package changed: libnss-ldap (Debian) => ubuntu-translations
** Changed in: ubuntu-translations
Importance: Unknown => Undecided
** Changed in: ubuntu-translations
Status: Fix Released => New
** Changed in: ubuntu-translations
Remote watch: Debian Bug tracker #579647 => None
** No longer affects: ubuntu-translations
** Package changed: sudo (Debian) => ubuntu-translations
** Changed in: ubuntu-translations
Importance: Unknown => Undecided
** Changed in: ubuntu-translations
Status: Fix Released => New
** Changed in: ubuntu-translations
Remote watch: Debian Bug tracker #658896 => None
** No longer affects: ubuntu-translations
** Bug watch removed: Debian Bug tracker #368297
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=368297
** Bug watch removed: Debian Bug tracker #579647
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579647
** Bug watch removed: Debian Bug tracker #658739
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658739
** Bug watch removed: Debian Bug tracker #658896
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658896
--
You received this bug notification because you are a member of Ubuntu
Translations Coordinators, which is subscribed to Ubuntu Translations.
Matching subscriptions: Ubuntu Translations bug mail
https://bugs.launchpad.net/bugs/423252
Title:
NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2
suexec, and atd
Status in libgcrypt:
Fix Released
Status in Release Notes for Ubuntu:
Fix Released
Status in libgcrypt11 package in Ubuntu:
Fix Released
Status in libgcrypt11 source package in Lucid:
Fix Released
Status in libgcrypt11 source package in Maverick:
Won't Fix
Status in libgcrypt11 source package in Natty:
Won't Fix
Status in libgcrypt11 source package in Oneiric:
Won't Fix
Status in libgcrypt11 source package in Precise:
Fix Released
Status in libgcrypt11 source package in Karmic:
Won't Fix
Status in libgcrypt11 package in Debian:
Unknown
Bug description:
SRU Request:
[Impact]
As heavily outlined in the amount of comments in this bug the impact is
detrimental to both community and enterprise users alike.
[Development Fix]
Howard Chu released a patch in #73 which was later confirmed in #106 & #108
as a resolution.
[Stable Fix]
Patch from #73 can be applied cleanly to Lucid and new distributions.
[Test Case]
On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd' field
to anything with 'ldap' as the first item breaks the ability to become root
using 'su' and 'sudo' as anyone but root.
Default nsswitch.conf:
passwd: compat
group: compat
shadow: compat
matt@box:~$ sudo uname -a
[sudo] password for matt:
Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64
GNU/Linux
matt@box:~$ su -
Password:
root@box:~#
Modified nsswitch.conf with 'ldap' before 'compat':
passwd: ldap compat
group: ldap compat
shadow: ldap compat
matt@box:~$ sudo uname -a
sudo: setreuid(ROOT_UID, user_uid): Operation not permitted
matt@box:~$ su -
Password:
setgid: Operation not permitted
Modified nsswitch.conf with 'ldap' after 'compat':
passwd: compat ldap
group: compat ldap
shadow: compat ldap
matt@box:~$ sudo uname -a
[sudo] password for matt:
Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64
GNU/Linux
matt@box:~$ su -
Password:
root@box:~#
The same arrangements in nsswitch.conf work as expected in Jaunty and
earlier releases.
[Regression Potential]
This should be minimal as the code change only addresses the duplicating
global_init during thread callbacks.
Lucid Release Note:
== NSS via LDAP+SSL breaks setuid applications like sudo ==
Upgrading systems configured to use ldap over ssl as the first service
in the nss stack (in nsswitch.conf) leads to a broken nss resolution
for setuid applications after the upgrade to Lucid (for example sudo
would stop working). There isn't any simple workaround for now. One
option is to switch to libnss-ldapd in place of libnss-ldap before the
upgrade. Another one consists in using nscd before the upgrade.
To manage notifications about this bug go to:
https://bugs.launchpad.net/libgcrypt/+bug/423252/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~ubuntu-translations-coordinators
Post to : ubuntu-translations-coordinators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~ubuntu-translations-coordinators
More help : https://help.launchpad.net/ListHelp
