Debian Bug report logs - #545414
sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users

Package: libgcrypt11; Maintainer for libgcrypt11 is Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>; Source for libgcrypt11 is src:libgcrypt11.

Reported by: ben thielsen <btb@bitrate.net>

Date: Mon, 7 Sep 2009 00:54:02 UTC

Severity: serious

Tags: help, patch, squeeze-ignore, wheezy-ignore

Merged with 368297, 566351, 579647, 601667, 628671, 658739, 658896

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#545414; Package sudo-ldap. (Mon, 07 Sep 2009 00:54:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to ben thielsen <btb@bitrate.net>:
New Bug report received and forwarded. Copy sent to Bdale Garbee <bdale@gag.com>. (Mon, 07 Sep 2009 00:54:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: ben thielsen <btb@bitrate.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users
Date: Sun, 06 Sep 2009 20:50:54 -0400
Package: sudo-ldap
Version: 1.7.2-2
Severity: important

both sudo and sudo-ldap fail when a user in ldap attempts to use sudo (for example, sudo su). with the following message:

sudo: setreuid(ROOT_UID, user_uid): Operation not permitted

users in the traditional passwd database don't appear to be affected.

this system uses ldap with both nss and pam.  all other aspects related to ldap appear to be working (e.g. id, getent, etc.).  i don't have a solution 
to offer, as i was not able to successfully troubleshoot the problem, but am happy to test ideas if it helps.  i'll wait to 
include various config files until requested.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.30-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash

Versions of packages sudo-ldap depends on:
ii  libc6                         2.9-25     GNU C Library: Shared libraries
ii  libldap-2.4-2                 2.4.17-1   OpenLDAP libraries
ii  libpam-modules                1.0.1-10   Pluggable Authentication Modules f
ii  libpam0g                      1.0.1-10   Pluggable Authentication Modules l

sudo-ldap recommends no packages.

sudo-ldap suggests no packages.




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#545414; Package sudo-ldap. (Mon, 07 Sep 2009 03:12:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bdale Garbee <bdale@gag.com>:
Extra info received and forwarded to list. (Mon, 07 Sep 2009 03:12:09 GMT) Full text and rfc822 format available.

Message #10 received at 545414@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: ben thielsen <btb@bitrate.net>, 545414@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users
Date: Sun, 06 Sep 2009 21:03:32 -0600
tags 545414 +help
tags 545414 +unreproducible
thanks

On Sun, 2009-09-06 at 20:50 -0400, ben thielsen wrote:
> i was not able to successfully troubleshoot the problem, but am happy to test ideas if it helps.  i'll wait to 
> include various config files until requested.

Hopefully, someone else watching the bug tracking system who knows more
about LDAP will have suggestions to offer.

Bdale






Added tag(s) help. Request was from Bdale Garbee <bdale@gag.com> to control@bugs.debian.org. (Mon, 07 Sep 2009 03:12:10 GMT) Full text and rfc822 format available.

Added tag(s) unreproducible. Request was from Bdale Garbee <bdale@gag.com> to control@bugs.debian.org. (Mon, 07 Sep 2009 03:12:11 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#545414; Package sudo-ldap. (Thu, 17 Sep 2009 09:45:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to akhilesh singhania <akhi@inf.ethz.ch>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. (Thu, 17 Sep 2009 09:45:08 GMT) Full text and rfc822 format available.

Message #19 received at 545414@bugs.debian.org (full text, mbox):

From: akhilesh singhania <akhi@inf.ethz.ch>
To: 545414@bugs.debian.org
Subject: Reproducing the bug
Date: Thu, 17 Sep 2009 11:42:38 +0200
Hello,

I updated to debian testing last night and can reproduce this bug on
my system currently.
I would really like to see this fixed and my current workaround is to
use a local console to run commands that require root access.

More information about the bug is running su asks for the root
password but always fails.
Running su as root works but not as a user in ldap.

$ uname -a
Linux ikdesk23 2.6.30-1-686 #1 SMP Sat Aug 15 19:11:58 UTC 2009 i686 GNU/Linux

Please let me know how I can help fix the bug.

Cheers,
akhi




Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#545414; Package sudo-ldap. (Thu, 17 Sep 2009 21:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Wouter Verhelst <wouter@debian.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. (Thu, 17 Sep 2009 21:27:04 GMT) Full text and rfc822 format available.

Message #24 received at 545414@bugs.debian.org (full text, mbox):

From: Wouter Verhelst <wouter@debian.org>
To: 545414@bugs.debian.org, 545414-submitter@bugs.debian.org
Subject: auth.log
Date: Thu, 17 Sep 2009 23:19:03 +0200
[Message part 1 (text/plain, inline)]
Hi,

When this happens, in most cases that I've seen the problem is that
'getent shadow', when run as root, doesn't return anything for the users
in LDAP. Sudo doesn't really like this. In order to fix it, you need to
make sure that the LDAP NSS module is also used for the shadow database.

If that isn't the problem, sudo is pretty thorough in logging when
things go wrong, but doesn't provide enough information on stdout or
stderr to help debug. The relevant log entries would be found in
/var/log/auth.log on a default Debian installation; if more help is
needed, please send some relevant entries from an auth.log to this bug
log.

Thanks,

-- 
The biometric identification system at the gates of the CIA headquarters
works because there's a guard with a large gun making sure no one is
trying to fool the system.
  http://www.schneier.com/blog/archives/2009/01/biometrics.html
[signature.asc (application/pgp-signature, inline)]

Message sent on to ben thielsen <btb@bitrate.net>:
Bug#545414. (Thu, 17 Sep 2009 21:27:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#545414; Package sudo-ldap. (Wed, 30 Sep 2009 12:33:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Laurent yam Ollagnier <yam@xenbox.fr>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. (Wed, 30 Sep 2009 12:33:10 GMT) Full text and rfc822 format available.

Message #32 received at 545414@bugs.debian.org (full text, mbox):

From: Laurent yam Ollagnier <yam@xenbox.fr>
To: 545414@bugs.debian.org
Subject: way to reproduce
Date: Wed, 30 Sep 2009 14:23:21 +0200
[Message part 1 (text/plain, inline)]
Hi, 

I'm able to reproduce this bug on 3 debian testing.

sudo doesn't bug if nsdc is running, and casts an error without it

-------------------
yam@flappy:~$ sudo echo test
test

flappy:~# /etc/init.d/nscd stop
Stopping Name Service Cache Daemon: nscd.

yam@flappy:~$ sudo echo test
sudo: setreuid(ROOT_UID, user_uid): Operation not permitted

flappy:~# /etc/init.d/nscd start
Starting Name Service Cache Daemon: nscd.

yam@flappy:~$ sudo echo test
test
--------------------

Cheers

--
yam
[signature.asc (application/pgp-signature, inline)]

Removed tag(s) unreproducible. Request was from Laurent yam Ollagnier <yam@xenbox.fr> to control@bugs.debian.org. (Wed, 30 Sep 2009 14:18:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#545414; Package sudo-ldap. (Sun, 04 Oct 2009 12:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to vedran.furac@gmail.com:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. (Sun, 04 Oct 2009 12:33:07 GMT) Full text and rfc822 format available.

Message #39 received at 545414@bugs.debian.org (full text, mbox):

From: Vedran Furač <vedran.furac@gmail.com>
To: 545414@bugs.debian.org
Subject: Can confirm this
Date: Sun, 04 Oct 2009 14:14:21 +0200
With users in ldap both su (to root) and sudo doesn't work when nscd is
not running.
Maybe unrelated, but here even with nscd running, su (from ldap user to
ldap user) isn't working:

foo@linux % su bar
Password:
initgroups: Operation not permitted






Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#545414; Package sudo-ldap. (Thu, 26 Nov 2009 15:51:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Pascal Mainini <pascal@impressionet.ch>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. (Thu, 26 Nov 2009 15:51:08 GMT) Full text and rfc822 format available.

Message #44 received at 545414@bugs.debian.org (full text, mbox):

From: Pascal Mainini <pascal@impressionet.ch>
To: 545414@bugs.debian.org
Subject: Confirmed as well
Date: Thu, 26 Nov 2009 16:14:39 +0100
[Message part 1 (text/plain, inline)]
Hi there
just wanted to let you know that I have the same issue with su.
Without nscd running I get:

for a local user:
su: User not known to the underlying authentication module

for a user comming from ldap:
setgid: Operation not permitted

With running nscd, both work fine...

Kind regards,

Pascal

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#545414; Package sudo-ldap. (Fri, 27 Nov 2009 11:12:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Rune Schjellerup Philosof <maillist@philosof.dk>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. (Fri, 27 Nov 2009 11:12:09 GMT) Full text and rfc822 format available.

Message #49 received at 545414@bugs.debian.org (full text, mbox):

From: Rune Schjellerup Philosof <maillist@philosof.dk>
To: 545414@bugs.debian.org
Subject: Related bug in Ubuntu
Date: Fri, 27 Nov 2009 11:32:17 +0100
A related bug exists in the Ubuntu bug system.
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/423252




Merged 368297 545414. Request was from Rune Schjellerup Philosof <rune@philosof.dk> to control@bugs.debian.org. (Tue, 16 Feb 2010 09:27:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#545414; Package sudo-ldap. (Fri, 19 Feb 2010 18:00:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to miguel@ic.unicamp.br:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. (Fri, 19 Feb 2010 18:00:02 GMT) Full text and rfc822 format available.

Message #56 received at 545414@bugs.debian.org (full text, mbox):

From: "Miguel Di Ciurcio Filho" <miguel@ic.unicamp.br>
To: 545414@bugs.debian.org
Subject: Not a libc issue
Date: Fri, 19 Feb 2010 15:35:44 -0200 (BRST)
I have the same enviroment. Authenticating using LDAP users works fine
using nss_ldap in nsswitch.conf, but sudo and su does not work.

I've made this small C program as a test case:

#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>

void main(void) {
        setreuid(0, getuid());
        printf("ID: %d\n", getuid());
        execv("/bin/sh", NULL);
}

Compiled is as root, run chmod +s on it and copied to /usr/bin.

Running it with an LDAP user gives me a shell as root. So I believe the
problem really is sudo. I have no idea what nscd does that makes sudo
work.





Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#545414; Package sudo-ldap. (Sat, 01 May 2010 04:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ansgar Burchardt <ansgar@43-1.org>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. (Sat, 01 May 2010 04:39:03 GMT) Full text and rfc822 format available.

Message #61 received at 545414@bugs.debian.org (full text, mbox):

From: Ansgar Burchardt <ansgar@43-1.org>
To: 545414@bugs.debian.org
Subject: Re: Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users
Date: Sat, 01 May 2010 13:36:34 +0900
Hi,

this is caused by libgcrypt11 which drops root privileges under certain
conditions [1].  As libnss-ldap uses libgcrypt11 via openldap and
gnutls, any setuid program that does NSS lookups against an SSL-enabled
LDAP server will lose privileges [2].

Regards,
Ansgar

[1] <http://bugs.debian.org/566351>
[2] <http://bugs.debian.org/579647>




Bug reassigned from package 'sudo-ldap' to 'libldap-2.4-2'. Request was from bdale@gag.com (Bdale Garbee) to control@bugs.debian.org. (Thu, 07 Oct 2010 22:39:11 GMT) Full text and rfc822 format available.

Bug No longer marked as found in versions sudo/1.7.2-2 and sudo/1.6.8p12-4. Request was from bdale@gag.com (Bdale Garbee) to control@bugs.debian.org. (Thu, 07 Oct 2010 22:39:12 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#545414; Package libldap-2.4-2. (Mon, 06 Dec 2010 16:15:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Adam <zanchey@ucc.gu.uwa.edu.au>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Mon, 06 Dec 2010 16:15:06 GMT) Full text and rfc822 format available.

Message #70 received at 545414@bugs.debian.org (full text, mbox):

From: David Adam <zanchey@ucc.gu.uwa.edu.au>
To: 545414@bugs.debian.org
Subject: Re: Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users
Date: Mon, 6 Dec 2010 23:59:09 +0800 (WST)
This bit us on trial upgrades to Squeeze, and as this has not yet been 
fixed I would strongly recommend a section in the release notes on 
"Possible issues during upgrade" or "Issues to be aware of for squeeze", 
perhaps along the following lines:

"libnss-ldap and libpam-ldap: updates to the cryptography libraries mean
that any programs which attempt to change their effective privileges, 
including sudo(8), may fail when libnss-ldap is configured to use an LDAP 
server using TLS or SSL.

To work around this problem, you can replace libnss-ldap with 
libnss-ldapd, a newer library which uses separate daemon (nslcd) for all 
LDAP lookups. The replacement for libpam-ldap is libpam-ldapd.

Note that libnss-ldapd recommends the NSS caching daemon, nscd, which you 
should evaluate for suitability in your environment before installing.

Further information is available in bugs #566351 and #545414."

David Adam
UCC Wheel Member
zanchey@ucc.gu.uwa.edu.au




Added indication that 545414 affects release-notes Request was from David Adam <zanchey@ucc.gu.uwa.edu.au> to control@bugs.debian.org. (Mon, 06 Dec 2010 16:15:15 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#545414; Package libldap-2.4-2. (Thu, 09 Dec 2010 21:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arthur de Jong <adejong@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Thu, 09 Dec 2010 21:39:03 GMT) Full text and rfc822 format available.

Message #77 received at 545414@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: David Adam <zanchey@ucc.gu.uwa.edu.au>, 545414@bugs.debian.org
Subject: Re: [Pkg-openldap-devel] Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users
Date: Thu, 09 Dec 2010 22:37:24 +0100
[Message part 1 (text/plain, inline)]
On Mon, 2010-12-06 at 23:59 +0800, David Adam wrote:
> This bit us on trial upgrades to Squeeze, and as this has not yet been 
> fixed I would strongly recommend a section in the release notes on 
> "Possible issues during upgrade" or "Issues to be aware of for squeeze", 
> perhaps along the following lines:

Attached is a patch for the release notes on this. I've used David's
text as a basis.

I've been thinking about encouraging more users to switch to
libnss-ldapd. It solves quite a few of the problems in libnss-ldap and
is also better maintained. However, since I'm both the Debian maintainer
and upstream I'm a bit biased.

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[release-notes-ldap-support.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#545414; Package libldap-2.4-2. (Thu, 09 Dec 2010 22:30:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Dan White <dwhite@olp.net>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Thu, 09 Dec 2010 22:30:06 GMT) Full text and rfc822 format available.

Message #82 received at 545414@bugs.debian.org (full text, mbox):

From: Dan White <dwhite@olp.net>
To: Arthur de Jong <adejong@debian.org>, 545414@bugs.debian.org
Cc: David Adam <zanchey@ucc.gu.uwa.edu.au>
Subject: Re: Bug#545414: Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users
Date: Thu, 9 Dec 2010 16:07:43 -0600
On 09/12/10 22:37 +0100, Arthur de Jong wrote:
>On Mon, 2010-12-06 at 23:59 +0800, David Adam wrote:
>> This bit us on trial upgrades to Squeeze, and as this has not yet been
>> fixed I would strongly recommend a section in the release notes on
>> "Possible issues during upgrade" or "Issues to be aware of for squeeze",
>> perhaps along the following lines:
>
>Attached is a patch for the release notes on this. I've used David's
>text as a basis.
>
>I've been thinking about encouraging more users to switch to
>libnss-ldapd. It solves quite a few of the problems in libnss-ldap and
>is also better maintained. However, since I'm both the Debian maintainer
>and upstream I'm a bit biased.

I'll offer an unbiased +1 for libnss-ldapd.

-- 
Dan White




Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#545414; Package libldap-2.4-2. (Fri, 10 Dec 2010 03:45:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to David Adam <zanchey@ucc.gu.uwa.edu.au>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Fri, 10 Dec 2010 03:45:06 GMT) Full text and rfc822 format available.

Message #87 received at 545414@bugs.debian.org (full text, mbox):

From: David Adam <zanchey@ucc.gu.uwa.edu.au>
To: Dan White <dwhite@olp.net>
Cc: Arthur de Jong <adejong@debian.org>, 545414@bugs.debian.org
Subject: Re: Bug#545414: Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users
Date: Fri, 10 Dec 2010 11:42:59 +0800 (WST)
[Message part 1 (text/plain, inline)]
On Thu, 9 Dec 2010, Dan White wrote:
> On 09/12/10 22:37 +0100, Arthur de Jong wrote:
> > On Mon, 2010-12-06 at 23:59 +0800, David Adam wrote:
> > > This bit us on trial upgrades to Squeeze, and as this has not yet been
> > > fixed I would strongly recommend a section in the release notes on
> > > "Possible issues during upgrade" or "Issues to be aware of for squeeze",
> > > perhaps along the following lines:
> > 
> > Attached is a patch for the release notes on this. I've used David's
> > text as a basis.
> > 
> > I've been thinking about encouraging more users to switch to
> > libnss-ldapd. It solves quite a few of the problems in libnss-ldap and
> > is also better maintained. However, since I'm both the Debian maintainer
> > and upstream I'm a bit biased.
> 
> I'll offer an unbiased +1 for libnss-ldapd.

Having thought about this a bit more, I'm nominating this for RC status. 
This bug potentially locks administrators out of their own systems if they 
upgrade and then close their root session or reboot without any way of 
logging in as root directly (which many sites consider best practice).

As well as sudo(8) and su(8), it also affects Apache's suexec and atd(8).

libnss-ldapd should be used to replace libnss-ldap on squeeze upgrades. I 
am still a touch wary of libnss-ldapd, only in that adding the daemon 
introduces an additional point of failure, but have been running it on 
our Ubuntu and squeeze systems with zero problems.

David Adam
UCC Wheel Member
zanchey@ucc.gu.uwa.edu.au

Severity set to 'grave' from 'important' Request was from David Adam <zanchey@ucc.gu.uwa.edu.au> to control@bugs.debian.org. (Fri, 10 Dec 2010 03:51:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#545414; Package libldap-2.4-2. (Fri, 10 Dec 2010 14:33:17 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arthur de Jong <adejong@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Fri, 10 Dec 2010 14:33:17 GMT) Full text and rfc822 format available.

Message #94 received at 545414@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: David Adam <zanchey@ucc.gu.uwa.edu.au>
Cc: Dan White <dwhite@olp.net>, 545414@bugs.debian.org
Subject: Re: Bug#545414: Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users
Date: Fri, 10 Dec 2010 15:31:48 +0100
[Message part 1 (text/plain, inline)]
On Fri, 2010-12-10 at 11:42 +0800, David Adam wrote:
> libnss-ldapd should be used to replace libnss-ldap on squeeze upgrades. I 
> am still a touch wary of libnss-ldapd, only in that adding the daemon 
> introduces an additional point of failure, but have been running it on 
> our Ubuntu and squeeze systems with zero problems.

I agree that adding an extra interface opens a possibility for problems
but it also allows for better separation. If the daemon is not running
more things could go wrong and I welcome improvements for that (e.g.
possibly starting earlier during the boot sequence and poll the LDAP
server until it is available or improved availability during upgrades).
On the other hand its operation is much simpler than with nss_ldap
because the daemon can hold some state as to whether the LDAP server is
available or not and failure when the LDAP server is unavailable is much
faster (will not hang the whole system).

Also, the daemon always runs as an unprivileged user and security of the
LDAP authentication credentials (bind password) is much more robust.

There are some differences between nss_ldap on one end and nss-pam-ldapd
on the other. nss-pam-ldapd does not currently support nested groups and
has less features in the password changing operation so it's not a
drop-in replacement for all configurations (yet).

I've also been using it without problems. There are some issues when
using Microsoft Active Directory (memory leak when chasing referrals and
a problem in the timeout handling) but I've personally had less issues
with nss-ldapd than with nss_ldap.

I don't know if it's possible (or wise) to automatically upgrade from
libnss-ldap to libnss-ldapd on a lenny->sqeeze upgrade but for people
who switch it should already be quite smooth (configuration is migrated
automatically in most cases).

If no-one thinks it is a bad idea I can change the earlier text to be a
recommendation to switch to nss-pam-ldapd instead of a proposed
workaround.

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#545414; Package libldap-2.4-2. (Sat, 25 Dec 2010 20:24:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Sat, 25 Dec 2010 20:24:03 GMT) Full text and rfc822 format available.

Message #99 received at 545414@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: David Adam <zanchey@ucc.gu.uwa.edu.au>
Cc: 545414@bugs.debian.org
Subject: Re: severity 545414
Date: Sat, 25 Dec 2010 21:20:24 +0100
[Message part 1 (text/plain, inline)]
severity 545414 important
kthxbye

On Fri, Dec 10, 2010 at 11:49:21 +0800, David Adam wrote:

> severity 545414 grave
> thanks
> 
Reverting unexplained severity change.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Severity set to 'important' from 'grave' Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Sat, 25 Dec 2010 20:24:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#545414; Package libldap-2.4-2. (Mon, 27 Dec 2010 15:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arthur de Jong <adejong@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Mon, 27 Dec 2010 15:18:02 GMT) Full text and rfc822 format available.

Message #106 received at 545414@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: 545414@bugs.debian.org
Cc: release-notes@packages.debian.org
Subject: Re: Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users
Date: Mon, 27 Dec 2010 16:15:38 +0100
[Message part 1 (text/plain, inline)]
On Fri, 2010-12-10 at 15:31 +0100, Arthur de Jong wrote:
> If no-one thinks it is a bad idea I can change the earlier text to be a
> recommendation to switch to nss-pam-ldapd instead of a proposed
> workaround.

I've updated the patch to the release notes (attached) to become a
recommendation to switch to nss-pam-ldapd.

Note that I don't think this will totally fix the problem with sudo-ldap
(haven't checked) because it will still do LDAP searches to retrieve the
sudoers information. If those searches go over SSL/TLS the problem will
still be triggered.

Dear release notes team, should this change be committed to the release
notes?

Also, do you think it is a good idea to highlight the switch to
nss-pam-ldapd a bit more in the "What's new" section? I think it should
also be a good idea to switch for people not affected by this specific
problem. I can provide a patch if needed.

Thanks.

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[release-notes-ldap-support.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#545414; Package libldap-2.4-2. (Mon, 27 Dec 2010 15:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Mon, 27 Dec 2010 15:39:03 GMT) Full text and rfc822 format available.

Message #111 received at 545414@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Arthur de Jong <adejong@debian.org>
Cc: 545414@bugs.debian.org, release-notes@packages.debian.org
Subject: Re: Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users
Date: Mon, 27 Dec 2010 16:36:32 +0100
[Message part 1 (text/plain, inline)]
On Mon, Dec 27, 2010 at 16:15:38 +0100, Arthur de Jong wrote:

> On Fri, 2010-12-10 at 15:31 +0100, Arthur de Jong wrote:
> > If no-one thinks it is a bad idea I can change the earlier text to be a
> > recommendation to switch to nss-pam-ldapd instead of a proposed
> > workaround.
> 
> I've updated the patch to the release notes (attached) to become a
> recommendation to switch to nss-pam-ldapd.
> 
Thanks.

[snip]
> 
> Also, do you think it is a good idea to highlight the switch to
> nss-pam-ldapd a bit more in the "What's new" section? I think it should
> also be a good idea to switch for people not affected by this specific
> problem. I can provide a patch if needed.
> 
Sounds like a good plan to me.

> Index: en/issues.dbk
> ===================================================================
> --- en/issues.dbk	(revision 7951)
> +++ en/issues.dbk	(working copy)
> @@ -12,7 +12,7 @@
>  
>  <section id="problems">
>  <title>Potential problems</title>
> -<para> 
> +<para>
>  Sometimes, changes introduced in a new release have side-effects
>  we cannot reasonably avoid, or they expose
>  bugs somewhere else. This section documents issues we are aware of.  Please also

Unrelated, please drop this hunk.

> @@ -434,6 +434,40 @@
>  </para>
>  </section>
>  
> +<section id="ldap">
> +  <title><acronym>LDAP</acronym> support</title>
> +  <indexterm><primary>LDAP</primary></indexterm>
> +  <para>
> +    A feature in the cryptography libraries used in the
> +    <acronym>LDAP</acronym> libraries causes programs that use
> +    <acronym>LDAP</acronym> and attempt to change their effective
> +    privileges to fail when connecting to an <acronym>LDAP</acronym>
> +    server using <acronym>TLS</acronym> or <acronym>SSL</acronym>.
> +    This can cause problems for <command>sudo</command> and
> +    <command>su</command> when using
> +    <systemitem role="package">libnss-ldap</systemitem> or
> +    with <systemitem role ="package">sudo-ldap</systemitem>.

I think schroot may be affected as well (#589884).

> +  </para>
> +  <para>
> +    It is recommended to replace the
> +    <systemitem role="package">libnss-ldap</systemitem> package with
> +    <systemitem role="package">libnss-ldapd</systemitem>, a newer library
> +    which uses separate daemon (<command>nslcd</command>) for all
> +    <acronym>LDAP</acronym> lookups. The replacement for
> +    <systemitem role="package">libpam-ldap</systemitem> is
> +    <systemitem role="package">libpam-ldapd</systemitem>.
> +  </para>
> +  <para>
> +    Note that <systemitem role="package">libnss-ldapd</systemitem> recommends
> +    the NSS caching daemon (<command>nscd</command>) which you should evaluate
> +    for suitability in your environment before installing.

Maybe mention unscd here, it's supposedly less crashy than nscd.

> +  </para>
> +  <para>
> +    Further information is available in bugs
> +    <ulink url="&url-bts;566351">#566351</ulink> and
> +    <ulink url="&url-bts;545414">#545414</ulink>.
> +  </para>
> +</section>
>  
>  <section id="kde-desktop-changes" condition="fixme">
>  <title>KDE desktop</title>

Thanks for the patch!

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#545414; Package libldap-2.4-2. (Mon, 27 Dec 2010 16:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arthur de Jong <adejong@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Mon, 27 Dec 2010 16:42:03 GMT) Full text and rfc822 format available.

Message #116 received at 545414@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: Julien Cristau <jcristau@debian.org>
Cc: 545414@bugs.debian.org, release-notes@packages.debian.org
Subject: Re: Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users
Date: Mon, 27 Dec 2010 17:39:25 +0100
[Message part 1 (text/plain, inline)]
On Mon, 2010-12-27 at 16:36 +0100, Julien Cristau wrote:
> > Also, do you think it is a good idea to highlight the switch to
> > nss-pam-ldapd a bit more in the "What's new" section? I think it should
> > also be a good idea to switch for people not affected by this specific
> > problem. I can provide a patch if needed.
>  
> Sounds like a good plan to me.

I will prepare a patch (or would you prefer something in the
NewInSqueeze wiki page?).

Do you want me to commit this part (new version attached)?

> >  <title>Potential problems</title>
> > -<para> 
> > +<para>
> >  Sometimes, changes introduced in a new release have side-effects
>
> Unrelated, please drop this hunk.

Oops, editor automatically removing trailing spaces.

> I think schroot may be affected as well (#589884).

Rephrased a bit and added schroot.

> > +    Note that <systemitem role="package">libnss-ldapd</systemitem> recommends
> > +    the NSS caching daemon (<command>nscd</command>) which you should evaluate
> > +    for suitability in your environment before installing.
> 
> Maybe mention unscd here, it's supposedly less crashy than nscd.

I didn't think unscd would make it into squeeze but it's great that it
will. I've added a line about unscd. I'm using unscd on my box without
issues but then again, I never really ran into major issues with nscd.

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[release-notes-ldap-support.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#545414; Package libldap-2.4-2. (Mon, 27 Dec 2010 16:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Mon, 27 Dec 2010 16:45:03 GMT) Full text and rfc822 format available.

Message #121 received at 545414@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Arthur de Jong <adejong@debian.org>
Cc: 545414@bugs.debian.org, release-notes@packages.debian.org
Subject: Re: Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users
Date: Mon, 27 Dec 2010 17:43:37 +0100
[Message part 1 (text/plain, inline)]
On Mon, Dec 27, 2010 at 17:39:25 +0100, Arthur de Jong wrote:

> I will prepare a patch (or would you prefer something in the
> NewInSqueeze wiki page?).
> 
A patch would be good, I think.

> Do you want me to commit this part (new version attached)?
> 
For this one:
Acked-by: Julien Cristau <jcristau@debian.org>

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Bug reassigned from package 'libldap-2.4-2' to 'libgcrypt11'. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Fri, 31 Dec 2010 22:09:05 GMT) Full text and rfc822 format available.

Forcibly Merged 368297 545414 566351. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Fri, 31 Dec 2010 22:09:06 GMT) Full text and rfc822 format available.

Added indication that 545414 affects libldap-2.4-2 Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Fri, 31 Dec 2010 22:09:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#545414; Package libgcrypt11. (Sun, 02 Jan 2011 12:12:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arthur de Jong <adejong@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Sun, 02 Jan 2011 12:12:06 GMT) Full text and rfc822 format available.

Message #132 received at 545414@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: Julien Cristau <jcristau@debian.org>
Cc: 545414@bugs.debian.org, release-notes@packages.debian.org
Subject: Re: Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users
Date: Sun, 02 Jan 2011 13:08:48 +0100
[Message part 1 (text/plain, inline)]
On Mon, 2010-12-27 at 17:43 +0100, Julien Cristau wrote:
> On Mon, Dec 27, 2010 at 17:39:25 +0100, Arthur de Jong wrote:
> > I will prepare a patch (or would you prefer something in the
> > NewInSqueeze wiki page?).
>
> A patch would be good, I think.

Attached is my proposal for the "What's new in Debian" section.

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[release-notes-new-ldap.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#545414; Package libgcrypt11. (Sun, 02 Jan 2011 12:27:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Sun, 02 Jan 2011 12:27:06 GMT) Full text and rfc822 format available.

Message #137 received at 545414@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Arthur de Jong <adejong@debian.org>
Cc: 545414@bugs.debian.org, release-notes@packages.debian.org
Subject: Re: Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users
Date: Sun, 2 Jan 2011 13:24:53 +0100
[Message part 1 (text/plain, inline)]
On Sun, Jan  2, 2011 at 13:08:48 +0100, Arthur de Jong wrote:

> +<section id="ldap">
> +  <title><acronym>LDAP</acronym> support</title>
> +  <indexterm><primary>LDAP</primary></indexterm>
> +  <para>
> +    With this release Debian comes with several options for implementing
> +    client-side authentication using LDAP.
> +    Users of the <systemitem role="package">libnss-ldap</systemitem> and
> +    <systemitem role="package">libpam-ldap</systemitem> packages are
> +    recommended to consider upgrading to

should consider?

> +    <systemitem role="package">libnss-ldapd</systemitem> and
> +    <systemitem role="package">libpam-ldapd</systemitem>.
> +  </para>
> +  <para>
> +    These newer packages delegate the <acronym>LDAP</acronym> queries to a central unprivileged
> +    daemon (<command>nslcd</command>) that provides separation between the process using the <acronym>LDAP</acronym>
> +    information and the daemon performing <acronym>LDAP</acronym> queries. This simplifies
> +    handling of secured <acronym>LDAP</acronym> connections,
> +    <acronym>LDAP</acronym> authentication credentials, provides a simpler
> +    mechanism to perform connection  fail-over and debugging and avoids

doubled space

> +    loading <acronym>LDAP</acronym> and related libraries into most
> +    applications.
> +  </para>
> +  <para>
> +    Upgrading to <systemitem role="package">libnss-ldapd</systemitem> and
> +    <systemitem role="package">libpam-ldapd</systemitem> should be easy
> +    as existing configuration information will be re-used mostly.

will be mostly reused?

> +    Only for advanced configuration should any manual reconfiguration be
> +    necessary.
> +  </para>
> +  <para>
> +    These packages however currently lack support for nested groups and only
> +    support password change using the <acronym>LDAP</acronym> password modify
> +    EXOP operation.
> +  </para>
> +</section>
> +

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#545414; Package libgcrypt11. (Wed, 05 Jan 2011 21:45:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arthur de Jong <adejong@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Wed, 05 Jan 2011 21:45:08 GMT) Full text and rfc822 format available.

Message #142 received at 545414@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: Julien Cristau <jcristau@debian.org>, 545414@bugs.debian.org
Cc: release-notes@packages.debian.org
Subject: Re: Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users
Date: Wed, 05 Jan 2011 22:43:39 +0100
[Message part 1 (text/plain, inline)]
Thanks for your remarks and sorry for the somewhat slow response.

I've used your comments to update the patch (see attachment).

Btw, do you know if there is some style guide available for the release
notes (or general info)?

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[release-notes-new-ldap.patch (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#545414; Package libgcrypt11. (Sat, 08 Jan 2011 19:24:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Sat, 08 Jan 2011 19:24:04 GMT) Full text and rfc822 format available.

Message #147 received at 545414@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Arthur de Jong <adejong@debian.org>
Cc: 545414@bugs.debian.org, release-notes@packages.debian.org
Subject: Re: Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users
Date: Sat, 8 Jan 2011 20:21:58 +0100
[Message part 1 (text/plain, inline)]
On Wed, Jan  5, 2011 at 22:43:39 +0100, Arthur de Jong wrote:

> Thanks for your remarks and sorry for the somewhat slow response.
> 
> I've used your comments to update the patch (see attachment).
> 
Acked-by: Julien Cristau <jcristau@debian.org>

> Btw, do you know if there is some style guide available for the release
> notes (or general info)?
> 
None that I know of :(

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#545414; Package libgcrypt11. (Mon, 10 Jan 2011 20:51:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arthur de Jong <adejong@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Mon, 10 Jan 2011 20:51:11 GMT) Full text and rfc822 format available.

Message #152 received at 545414@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: Julien Cristau <jcristau@debian.org>
Cc: 545414@bugs.debian.org, release-notes@packages.debian.org
Subject: Re: Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users
Date: Mon, 10 Jan 2011 21:49:25 +0100
[Message part 1 (text/plain, inline)]
On Sat, 2011-01-08 at 20:21 +0100, Julien Cristau wrote:
> On Wed, Jan  5, 2011 at 22:43:39 +0100, Arthur de Jong wrote:
> > I've used your comments to update the patch (see attachment).
> 
> Acked-by: Julien Cristau <jcristau@debian.org>

I've committed it.

I've also asked Petter Reinholdtsen if he can add something about
libnss-sss and libpam-sss. Those packages can also be used to do LDAP
lookups. He doesn't have much time ATM so perhaps I'll try to write some
bits instead. I don't have first-hand experience with those packages
though.

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[signature.asc (application/pgp-signature, inline)]

Forcibly Merged 368297 545414 566351 579647 601667. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Sat, 21 May 2011 20:21:06 GMT) Full text and rfc822 format available.

Removed indication that 545414 affects libldap-2.4-2 Added indication that 545414 affects libnss-ldap Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. (Sat, 21 May 2011 20:21:08 GMT) Full text and rfc822 format available.

Forcibly Merged 368297 545414 566351 579647 601667 628671. Request was from Nicolas François <nicolas.francois@centraliens.net> to control@bugs.debian.org. (Sat, 25 Jun 2011 10:42:13 GMT) Full text and rfc822 format available.

Added tag(s) d-i and patch. Request was from Andreas Metzler <ametzler@debian.org> to control@bugs.debian.org. (Tue, 22 Jan 2013 18:18:11 GMT) Full text and rfc822 format available.

Merged 368297 545414 566351 579647 601667 628671 658896 Request was from Andreas Metzler <ametzler@debian.org> to control@bugs.debian.org. (Tue, 22 Jan 2013 18:18:13 GMT) Full text and rfc822 format available.

Severity set to 'serious' from 'normal' Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Wed, 23 Jan 2013 12:27:08 GMT) Full text and rfc822 format available.

Merged 368297 545414 566351 579647 601667 628671 658896 Request was from Andreas Metzler <ametzler@debian.org> to control@bugs.debian.org. (Wed, 23 Jan 2013 17:54:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#545414; Package libgcrypt11. (Thu, 24 Jan 2013 23:48:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Carlos Alberto Lopez Perez <clopez@igalia.com>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Thu, 24 Jan 2013 23:48:05 GMT) Full text and rfc822 format available.

Message #171 received at 545414@bugs.debian.org (full text, mbox):

From: Carlos Alberto Lopez Perez <clopez@igalia.com>
To: Andreas Metzler <ametzler@downhill.at.eu.org>, adam.stokes@canonical.com
Cc: 368297@bugs.debian.org, 545414@bugs.debian.org, 566351@bugs.debian.org, 579647@bugs.debian.org, 601667@bugs.debian.org, 628671@bugs.debian.org, 658896@bugs.debian.org, pkg-openldap-devel@lists.alioth.debian.org, pkg-gnutls-maint@lists.alioth.debian.org, control@bugs.debian.org
Subject: [PATCH] Fix dropping privileges issue on setuid programs on systems with PAM/LDAP and GnuTLS/libgcrypt
Date: Fri, 25 Jan 2013 00:44:21 +0100
[Message part 1 (text/plain, inline)]
reassign 368297 libldap-2.4 2.4.31-1
thanks

Hi!


I have been digging on this issue and I found the ultimate cause of this
problem.


When sudo/su/passwd/<insert-any-setuid-program-that-calls-getpwent()> on
a system configured with PAM/LDAPs it chains into libldap, which uses
GnuTLS/libgcrypt to manage the TLS channel.


The problem is that when OpenLDAP calls gnutls_global_init(), this
function does nothing because OpenLDAP had previously already
initialized libgcrypt at some point on the stack (probably by mistake).

So, gnutls_global_init() checks that some basic initialization of
libgcrypt was already done and skips completely any action.

The problem is that gnutls_global_init() is supposed to set the flag
GCRYCTL_DISABLE_SECMEM which disables both the use of secure memory
*and* the "feature" of dropping privileges that libgcrypt has. [1]

So, what is happening is that the initialization of libgcrypt is not
being done as expected.

I cooked a very small patch that, just after calling
gnutls_global_init() checks if the initialization was successful, and if
was not, then it sets this flag (DISABLE_SECMEM)

I understand that (perhaps) the right fix could be to patch GnuTLS to
check for INITIALIZATION_FINISHED instead of ANY_INITIALIZATION. But
there are two problems with this:

 * One is that this could introduce some regression or bug on some
program that could be (wrongly) relying on this "feature" of GnuTLS.
Keep in mind that this code has been there since the beginning of the
project (I was blaming the git repository)


* The second problem is that GnutTLS (upstream) completely dropped the
support for libgcrypt (they even removed the code). So IMHO it don't
makes sense to fix GnuTLS at this point. For Jessie, GnuTLS should
switch to nettle. And OpenLDAP will have to switch to another crypto
library other than libgcrypt, or will have to patch the file
libraries/libldap/tls_g.c to stop using any GnuTLS code.


So, for the moment (Wheezy) I think the best approach to solve this bug
is to apply the small patch for OpenLDAP that I'm attaching.
It is the less intrusive approach to fix this bug. It don't needs to
touch anything on GnuTLS or libgcrypt. It is really fixing the problem
where is: OpenLDAP is not setting DISABLE_SECMEM when initializing
libgcrypt.

The approach taken by Ubuntu, to patch libgcrypt (LP: #423252), already
caused some regressions (LP: #1013798)


If someone wants to try it, I have uploaded the debs (AMD64) and the
sources to this URL:

http://ftp.neutrino.es/debian/OpenLDAP/


I tested that with this small patch the problem goes completely away.

Example of test:
----------------
1) Install current libldap-2.4-2 from Wheezy and test sudo:
root ~ # apt-get install --reinstall libldap-2.4-2=2.4.31-1

clopez ~ $ sudo whoami
[sudo] password for clopez:
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: unable to open /var/lib/sudo/clopez/8: Operation not permitted
sudo: unable to set supplementary group IDs: Operation not permitted
sudo: unable to execute /usr/bin/whoami: Operation not permitted


2) Install fixed libldap-2.4-2 and test sudo:
root ~ # wget
http://ftp.neutrino.es/debian/OpenLDAP/libldap-2.4-2_2.4.31-1.1_amd64.deb
root ~ # dpkg -i libldap-2.4-2_2.4.31-1.1_amd64.deb


clopez ~ $ sudo whoami
[sudo] password for clopez:
root
-------------

Therefore I'm reassigning this bug to libldap-2.4 (src:OpenLDAP)

Attached is also a debdiff for src:OpenLDAP


Read the comments inside the patch for further information.


I'm CC'ing libgcrypt/OpenLDAP/GnuTLS maintainers and will be later
reporting on Ubuntu's LP this.



Regards!
--------

[1]
http://lists.debian.org/debian-devel/2010/03/msg00298.html
https://bugs.g10code.com/gnupg/issue1181
[debdiff_openldap_fix-dropping-privileges-by-libgcrypt-secmem.debdiff (text/plain, attachment)]
[fix-dropping-privileges-by-libgcrypt-secmem.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Bug reassigned from package 'libgcrypt11' to 'libldap-2.4'. Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Thu, 24 Jan 2013 23:48:19 GMT) Full text and rfc822 format available.

No longer marked as found in versions libgcrypt11/1.4.4-6. Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Thu, 24 Jan 2013 23:48:21 GMT) Full text and rfc822 format available.

Marked as found in versions 2.4.31-1. Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Thu, 24 Jan 2013 23:48:23 GMT) Full text and rfc822 format available.

Bug reassigned from package 'libldap-2.4' to 'libldap-2.4-2'. Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Fri, 25 Jan 2013 03:09:10 GMT) Full text and rfc822 format available.

No longer marked as found in versions 2.4.31-1. Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Fri, 25 Jan 2013 03:09:12 GMT) Full text and rfc822 format available.

Marked as found in versions openldap/2.4.31-1. Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Fri, 25 Jan 2013 03:09:15 GMT) Full text and rfc822 format available.

Unset Bug forwarded-to-address Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Fri, 25 Jan 2013 04:27:03 GMT) Full text and rfc822 format available.

Merged 368297 545414 566351 579647 601667 628671 658739 658896 Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Tue, 05 Feb 2013 03:24:16 GMT) Full text and rfc822 format available.

Removed tag(s) d-i. Request was from Adam D. Barratt <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Wed, 20 Feb 2013 11:33:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#545414; Package libldap-2.4-2. (Tue, 12 Mar 2013 11:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Chris Lewis <clewis@inview.co.uk>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Tue, 12 Mar 2013 11:51:03 GMT) Full text and rfc822 format available.

Message #194 received at 545414@bugs.debian.org (full text, mbox):

From: Chris Lewis <clewis@inview.co.uk>
To: <545414@bugs.debian.org>
Subject: Worked for me
Date: Tue, 12 Mar 2013 11:47:54 +0000
Hi Carlos,

Worked for me as per your test.

Many Thanks

Chris

-- 
Chris Lewis

Systems Administrator
Inview Technology Ltd.





Bug reassigned from package 'libldap-2.4-2' to 'libgcrypt11'. Request was from Michael Gilbert <mgilbert@debian.org> to control@bugs.debian.org. (Sun, 14 Apr 2013 18:39:05 GMT) Full text and rfc822 format available.

No longer marked as found in versions openldap/2.4.31-1. Request was from Michael Gilbert <mgilbert@debian.org> to control@bugs.debian.org. (Sun, 14 Apr 2013 18:39:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#545414; Package libgcrypt11. (Mon, 22 Apr 2013 16:33:19 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Mon, 22 Apr 2013 16:33:20 GMT) Full text and rfc822 format available.

Message #203 received at 545414@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Carlos Alberto Lopez Perez <clopez@igalia.com>, 368297@bugs.debian.org
Cc: Andreas Metzler <ametzler@downhill.at.eu.org>, adam.stokes@canonical.com, 545414@bugs.debian.org, 566351@bugs.debian.org, 579647@bugs.debian.org, 601667@bugs.debian.org, 628671@bugs.debian.org, 658896@bugs.debian.org, pkg-openldap-devel@lists.alioth.debian.org, pkg-gnutls-maint@lists.alioth.debian.org, control@bugs.debian.org
Subject: Re: Bug#368297: [PATCH] Fix dropping privileges issue on setuid programs on systems with PAM/LDAP and GnuTLS/libgcrypt
Date: Mon, 22 Apr 2013 18:30:11 +0200
[Message part 1 (text/plain, inline)]
tags 368297 + wheezy-ignore
user release.debian.org@packages.debian.org
usertag 368297 + wheezy-can-defer

On Fri, Jan 25, 2013 at 00:44:21 +0100, Carlos Alberto Lopez Perez wrote:

> When sudo/su/passwd/<insert-any-setuid-program-that-calls-getpwent()> on
> a system configured with PAM/LDAPs it chains into libldap, which uses
> GnuTLS/libgcrypt to manage the TLS channel.
> 
So I've tried to reproduce that, by installing sudo-ldap, slapd,
lib{nss,pam}-ldap, ssl-cert and configuring stuff to use
ldaps://localhost.  Seems like things work when the user is in
/etc/passwd, and fail if they're in ldap.
The failure goes away when switching to lib{nss,pam}-ldapd, which was
already the recommended workaround for this bug in squeeze.

I understand that some use cases aren't supported by this alternative,
but:
- AIUI this was already the case in squeeze
- the way forward is probably to improve on them, for jessie, not try
  and keep lib{nss,pam}-ldap around indefinitely

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Added tag(s) wheezy-ignore. Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Mon, 22 Apr 2013 16:33:37 GMT) Full text and rfc822 format available.

Added tag(s) squeeze-ignore. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Wed, 06 Nov 2013 02:33:17 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 13:21:43 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.