Debian Bug report logs - #658896
sudo: setresuid(ROOT_UID, ROOT_UID, ROOT_UID): Operation not permitted

Package: libgcrypt11; Maintainer for libgcrypt11 is Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>; Source for libgcrypt11 is src:libgcrypt11.

Reported by: W Forum W <wforumw@gmail.com>

Date: Mon, 6 Feb 2012 16:15:02 UTC

Severity: serious

Tags: help, patch, squeeze-ignore, wheezy-ignore

Merged with 368297, 545414, 566351, 579647, 601667, 628671, 658739

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#658896; Package sudo. (Mon, 06 Feb 2012 16:15:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to W Forum W <wforumw@gmail.com>:
New Bug report received and forwarded. Copy sent to Bdale Garbee <bdale@gag.com>. (Mon, 06 Feb 2012 16:15:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: W Forum W <wforumw@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: sudo: setresuid(ROOT_UID, ROOT_UID, ROOT_UID): Operation not permitted
Date: Mon, 6 Feb 2012 17:05:10 +0100
Package: sudo
Version: 1.8.3p2-1
Severity: important
Tags: d-i

After upgrade sudo from 1.7.4p4-2.squeeze.2 to 1.8.3p2-1 I always get this
error when I try as a user: sudo -i
sudo: setresuid(ROOT_UID, ROOT_UID, ROOT_UID): Operation not permitted
sudo: unable to open /var/lib/sudo/user/2: Operation not permitted
sudo: unable to set gid to runas gid 0: Operation not permitted
sudo: unable to execute /bin/bash: Operation not permitted

To test I installed the old version (sudo_1.7.4p4-2.squeeze) again and
everything works fine again.
The user is authenticated over ldap.




-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages sudo depends on:
ii  libc6           2.13-24
ii  libpam-modules  1.1.3-6
ii  libpam0g        1.1.3-6
ii  libselinux1     2.1.0-4.1

sudo recommends no packages.

sudo suggests no packages.

-- Configuration Files:
/etc/sudoers [Errno 13] Permission denied: u'/etc/sudoers'
/etc/sudoers.d/README [Errno 13] Permission denied: u'/etc/sudoers.d/README'

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#658896; Package sudo. (Sat, 10 Mar 2012 18:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sam Morris <sam@robots.org.uk>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. (Sat, 10 Mar 2012 18:45:04 GMT) Full text and rfc822 format available.

Message #10 received at 658896@bugs.debian.org (full text, mbox):

From: Sam Morris <sam@robots.org.uk>
To: 658896-submitter@bugs.debian.org
Cc: 658896@bugs.debian.org
Subject: Re: sudo: setresuid(ROOT_UID, ROOT_UID, ROOT_UID): Operation not permitted
Date: Sat, 10 Mar 2012 18:41:23 +0000
[Message part 1 (text/plain, inline)]
This is probably the same as #368297. The workaround is to replace
libnss-ldap with libnss-ldapd, nslcd and unscd/nscd. Please let me know
if that does/does not work.

-- 
Sam Morris <https://robots.org.uk/>
3412 EA18 1277 354B 991B  C869 B219 7FDB 5EA0 1078
[signature.asc (application/pgp-signature, inline)]

Message sent on to W Forum W <wforumw@gmail.com>:
Bug#658896. (Sat, 10 Mar 2012 18:45:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#658896; Package sudo. (Mon, 19 Mar 2012 23:51:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to banerian@u.washington.edu:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. (Mon, 19 Mar 2012 23:51:08 GMT) Full text and rfc822 format available.

Message #18 received at 658896@bugs.debian.org (full text, mbox):

From: "S. Banerian" <banerian@u.washington.edu>
To: 658896@bugs.debian.org
Subject: Re: sudo: setresuid(ROOT_UID, ROOT_UID, ROOT_UID): Operation not permitted.
Date: Mon, 19 Mar 2012 16:33:55 -0700
[Message part 1 (text/plain, inline)]
Replacing libnss-ldap with libnss-ldapd  and nscd with nslcd does not
fix the problem.

Related bug report is significant:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658739

This work-around was found to work on arch  x86_64 / amd64


-- 
A. Because it breaks the logical sequence of discussion
Q. Why is top posting bad?
S. Banerian
206-598-0302
UWMC Radiation Oncology
gpg key 6642E7EE
fingerprint = BD13 875D 2D03 5E1D 1E3B  8BF7 F4B8 63AD 6642 E7EE


[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#658896; Package sudo. (Tue, 21 Aug 2012 22:12:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Brian Kroth <bpkroth@gmail.com>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. (Tue, 21 Aug 2012 22:12:09 GMT) Full text and rfc822 format available.

Message #23 received at 658896@bugs.debian.org (full text, mbox):

From: Brian Kroth <bpkroth@gmail.com>
To: 658896@bugs.debian.org
Subject: ldapd not a good workaround
Date: Tue, 21 Aug 2012 17:09:24 -0500
[Message part 1 (text/plain, inline)]
FYI, this is affecting our systems as well.  So far as I can tell, we 
can't use the nslcd stuff as a workaround because that prevents using 
separate ldap confs for auth in pam (eg: pam_ldap.so 
config=/etc/pam_ldap.conf.special) which allows us to construct 
different ldap filters, base searches, proxy configs, ssl vs. tls, etc.  
for authenticating users for different services separately.

In particular we like to use that to allow sudo to authenticate against 
a shadow object of the usual user so that they can have a separate 
password for their sudo access and to filter the users that it will even 
authenticate to those with a particular ldap acl attribute before it 
even consults the sudoers file.

If you need help testing out other ldap/ssl/tls fixes let me know.

Thanks,
Brian
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#658896; Package sudo. (Thu, 15 Nov 2012 15:42:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Martijn van Brummelen" <martijn@brumit.nl>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. (Thu, 15 Nov 2012 15:42:06 GMT) Full text and rfc822 format available.

Message #28 received at 658896@bugs.debian.org (full text, mbox):

From: "Martijn van Brummelen" <martijn@brumit.nl>
To: 658896@bugs.debian.org
Subject: Patch from Ubuntu
Date: Thu, 15 Nov 2012 16:32:25 +0100
[Message part 1 (text/plain, inline)]
I rebuild Wheezy's version of libgcrypt11_1.5.0-3 with the
patch(no_global_init_during_thread_callbacks.diff)  from Ubuntu.
I can confirm the new patched version of libgcrypt solves this problem,
and I am able to use sudo again.

Can someone review this patch and see if it would be a suitable solution
to fix this problem?

If needed I can prepare a NMU.

Regards,
Martijn van Brummelen
[no_global_init_during_thread_callbacks.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#658896; Package sudo. (Tue, 15 Jan 2013 12:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Carlos Alberto Lopez Perez <clopez@igalia.com>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. (Tue, 15 Jan 2013 12:09:03 GMT) Full text and rfc822 format available.

Message #33 received at 658896@bugs.debian.org (full text, mbox):

From: Carlos Alberto Lopez Perez <clopez@igalia.com>
To: 658896@bugs.debian.org, control@bugs.debian.org
Subject: RE: sudo: setresuid(ROOT_UID, ROOT_UID, ROOT_UID): Operation not permitted
Date: Tue, 15 Jan 2013 13:05:15 +0100
[Message part 1 (text/plain, inline)]
found 658896 1.8.5p2-1
severity 658896 serious
thanks
justification: Renders the package unusable on systems with LDAP/PAM


Hi!


I can confirm this bug. On a Wheezy system with nscd and libnss-ldap is
impossible to use sudo.


# apt-cache policy sudo
sudo:
  Installed: 1.8.5p2-1
  Candidate: 1.8.5p2-1
  Version table:
 *** 1.8.5p2-1 0
        500 http://debian/debian/ sid/main amd64 Packages
        500 http://debian/debian/ testing/main amd64 Packages
        100 /var/lib/dpkg/status
     1.7.4p4-2.squeeze.3 0
        500 http://debian/debian/ stable/main amd64 Packages


$ sudo ls /
[sudo] password for clopez:
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: unable to open /var/lib/sudo/clopez/1: Operation not permitted
sudo: unable to set supplementary group IDs: Operation not permitted
sudo: unable to execute /bin/ls: Operation not permitted



Downgrading the package to squeeze version fixes the problem automatically

# apt-get install sudo=1.7.4p4-2.squeeze.3

$ sudo ls /
[sudo] password for clopez:
bin  boot  dev	etc  home  lib	lib32  lib64  lost+found  media  mnt  opt
 proc  root  run  sbin  selinux  srv  sys  tmp  usr	var


IMHO this bug should be fixed before releasing Wheezy. Sudo is not
usable on systems configured with LDAP/PAM (which is a setup widely
used). Therefore I'm raising the severity.


Thanks!

[signature.asc (application/pgp-signature, attachment)]

Marked as found in versions sudo/1.8.5p2-1. Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Tue, 15 Jan 2013 12:09:05 GMT) Full text and rfc822 format available.

Severity set to 'serious' from 'important' Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Tue, 15 Jan 2013 12:09:05 GMT) Full text and rfc822 format available.

Added tag(s) patch. Request was from Bálint Réczey <balint@balintreczey.hu> to control@bugs.debian.org. (Sat, 19 Jan 2013 13:21:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Bdale Garbee <bdale@gag.com>:
Bug#658896; Package sudo. (Mon, 21 Jan 2013 04:39:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Trek <trek00@inbox.ru>:
Extra info received and forwarded to list. Copy sent to Bdale Garbee <bdale@gag.com>. (Mon, 21 Jan 2013 04:39:06 GMT) Full text and rfc822 format available.

Message #44 received at 658896@bugs.debian.org (full text, mbox):

From: Trek <trek00@inbox.ru>
To: 658896@bugs.debian.org, "Martijn van Brummelen" <martijn@brumit.nl>
Subject: please try to downgrade libgcrypt11 to 1.4.6
Date: Mon, 21 Jan 2013 05:31:43 +0100
Hi,

can you try to downgrade libgcrypt11 to the version 1.4.6-9?
You can download it from:

http://snapshot.debian.org/archive/debian/20110807T212024Z/pool/main/libg/libgcrypt11/


this resolved a bug using claws-mail and midori with libgcrypt 1.5,
that seems to have problems with its memory management:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640123


If this is the case, may be that libgcrypt11 should be downgraded
before wheezy is released.


Ciao!



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#658896; Package sudo. (Mon, 21 Jan 2013 19:03:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bdale Garbee <bdale@gag.com>:
Extra info received and forwarded to list. (Mon, 21 Jan 2013 19:03:04 GMT) Full text and rfc822 format available.

Message #49 received at 658896@bugs.debian.org (full text, mbox):

From: Bdale Garbee <bdale@gag.com>
To: control@bugs.debian.org
Cc: 658896@bugs.debian.org
Subject: bug is apparently actually in libgcrypt11
Date: Mon, 21 Jan 2013 12:01:12 -0700
[Message part 1 (text/plain, inline)]
reassign 658896 libgcrypt11
thanks

I don't use LDAP, and so don't have an easy way to test this, but since
Martijn van Brummelen reports that patching libgcrypt11 the way Ubuntu
has fixes this problem, I'm reassigning the bug to libgcrypt11 for
resolution in Debian.

Regards,

Bdale
[Message part 2 (application/pgp-signature, inline)]

Bug reassigned from package 'sudo' to 'libgcrypt11'. Request was from Bdale Garbee <bdale@gag.com> to control@bugs.debian.org. (Mon, 21 Jan 2013 19:03:09 GMT) Full text and rfc822 format available.

No longer marked as found in versions sudo/1.8.3p2-1 and sudo/1.8.5p2-1. Request was from Bdale Garbee <bdale@gag.com> to control@bugs.debian.org. (Mon, 21 Jan 2013 19:03:09 GMT) Full text and rfc822 format available.

Set Bug forwarded-to-address to 'http://mid.gmane.org/20100123134725.GA3309@downhill.g.la'. Request was from Andreas Metzler <ametzler@debian.org> to control@bugs.debian.org. (Tue, 22 Jan 2013 18:18:09 GMT) Full text and rfc822 format available.

Severity set to 'normal' from 'serious' Request was from Andreas Metzler <ametzler@debian.org> to control@bugs.debian.org. (Tue, 22 Jan 2013 18:18:09 GMT) Full text and rfc822 format available.

Added indication that 658896 affects libnss-ldap Request was from Andreas Metzler <ametzler@debian.org> to control@bugs.debian.org. (Tue, 22 Jan 2013 18:18:10 GMT) Full text and rfc822 format available.

Marked as found in versions libgcrypt11/1.4.4-6. Request was from Andreas Metzler <ametzler@debian.org> to control@bugs.debian.org. (Tue, 22 Jan 2013 18:18:10 GMT) Full text and rfc822 format available.

Added tag(s) help. Request was from Andreas Metzler <ametzler@debian.org> to control@bugs.debian.org. (Tue, 22 Jan 2013 18:18:10 GMT) Full text and rfc822 format available.

Merged 368297 545414 566351 579647 601667 628671 658896 Request was from Andreas Metzler <ametzler@debian.org> to control@bugs.debian.org. (Tue, 22 Jan 2013 18:18:13 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#658896; Package libgcrypt11. (Wed, 23 Jan 2013 12:27:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Carlos Alberto Lopez Perez <clopez@igalia.com>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Wed, 23 Jan 2013 12:27:06 GMT) Full text and rfc822 format available.

Message #70 received at 658896@bugs.debian.org (full text, mbox):

From: Carlos Alberto Lopez Perez <clopez@igalia.com>
To: 658896@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Please apply patch no_global_init_during_thread_callbacks.diff
Date: Wed, 23 Jan 2013 13:24:05 +0100
[Message part 1 (text/plain, inline)]
severity 658896 serious
thanks
justification: Breaks unrelated software. It renders sudo unusable on systems with LDAP/PAM

On 21/01/13 05:31, Trek wrote:
> Hi,
> 
> can you try to downgrade libgcrypt11 to the version 1.4.6-9?
> You can download it from:
> 
> http://snapshot.debian.org/archive/debian/20110807T212024Z/pool/main/libg/libgcrypt11/
> 
> 
> this resolved a bug using claws-mail and midori with libgcrypt 1.5,
> that seems to have problems with its memory management:
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640123
> 
> 
> If this is the case, may be that libgcrypt11 should be downgraded
> before wheezy is released.
> 
> 
> Ciao!
> 
> 
> 

Downgrading fix nothing.


What fixed the issue was applying the patch no_global_init_during_thread_callbacks.diff
from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658896#28


I'm attaching the debdiff. I rebuilt libgcrypt11 with the attached debdiff.
After installing it, sudo works as expected.


I'm raising the severity another time. I think it was lowered automatically with the forcemerge.

This should be fixed before releasing Wheezy. Because of this bug, sudo is not usable on
systems configured with LDAP/PAM (which is a setup widely used).


Thanks!
[libgcrypt11_debdiff.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Severity set to 'serious' from 'normal' Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Wed, 23 Jan 2013 12:27:07 GMT) Full text and rfc822 format available.

Merged 368297 545414 566351 579647 601667 628671 658896 Request was from Andreas Metzler <ametzler@debian.org> to control@bugs.debian.org. (Wed, 23 Jan 2013 17:54:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#658896; Package libgcrypt11. (Wed, 23 Jan 2013 18:15:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Metzler <ametzler@downhill.at.eu.org>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Wed, 23 Jan 2013 18:15:14 GMT) Full text and rfc822 format available.

Message #79 received at 658896@bugs.debian.org (full text, mbox):

From: Andreas Metzler <ametzler@downhill.at.eu.org>
To: Carlos Alberto Lopez Perez <clopez@igalia.com>, 658896@bugs.debian.org
Subject: Re: Bug#658896: Please apply patch no_global_init_during_thread_callbacks.diff
Date: Wed, 23 Jan 2013 19:04:49 +0100
On 2013-01-23 Carlos Alberto Lopez Perez <clopez@igalia.com> wrote:
> severity 658896 serious
> thanks
> justification: Breaks unrelated software. It renders sudo unusable on systems with LDAP/PAM
[...]

> What fixed the issue was applying the patch no_global_init_during_thread_callbacks.diff
> from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658896#28


> I'm attaching the debdiff. I rebuilt libgcrypt11 with the attached debdiff.
> After installing it, sudo works as expected.
[...]

According to the experiences in Ubuntu it breaks other stuff:
https://bugs.launchpad.net/ubuntu/+source/libgcrypt11/+bug/1013798
(+ 2 merged bugreports)

I do not know whether this is a fair exchange, or whether it could
be fixed simply. However applying the patch clearly comes at a cost.

I am sorry I cannot be more helpful, but I am just not a programmer.

cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'



Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#658896; Package libgcrypt11. (Wed, 23 Jan 2013 18:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Carlos Alberto Lopez Perez <clopez@igalia.com>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Wed, 23 Jan 2013 18:33:03 GMT) Full text and rfc822 format available.

Message #84 received at 658896@bugs.debian.org (full text, mbox):

From: Carlos Alberto Lopez Perez <clopez@igalia.com>
To: Andreas Metzler <ametzler@downhill.at.eu.org>
Cc: 658896@bugs.debian.org, Adam Stokes <adam.stokes@canonical.com>
Subject: Re: Bug#658896: Please apply patch no_global_init_during_thread_callbacks.diff
Date: Wed, 23 Jan 2013 19:30:37 +0100
[Message part 1 (text/plain, inline)]
On 23/01/13 19:04, Andreas Metzler wrote:
> On 2013-01-23 Carlos Alberto Lopez Perez <clopez@igalia.com> wrote:
>> severity 658896 serious
>> thanks
>> justification: Breaks unrelated software. It renders sudo unusable on systems with LDAP/PAM
> [...]
> 
>> What fixed the issue was applying the patch no_global_init_during_thread_callbacks.diff
>> from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658896#28
> 
> 
>> I'm attaching the debdiff. I rebuilt libgcrypt11 with the attached debdiff.
>> After installing it, sudo works as expected.
> [...]
> 
> According to the experiences in Ubuntu it breaks other stuff:
> https://bugs.launchpad.net/ubuntu/+source/libgcrypt11/+bug/1013798
> (+ 2 merged bugreports)
> 
> I do not know whether this is a fair exchange, or whether it could
> be fixed simply. However applying the patch clearly comes at a cost.
> 
> I am sorry I cannot be more helpful, but I am just not a programmer.
> 
> cu andreas

If you download the last Ubuntu dsc for libgcrypt11

$ dget -u http://archive.ubuntu.com/ubuntu/pool/main/libg/libgcrypt11/libgcrypt11_1.5.0-3ubuntu2.1.dsc


You will see that the patch they are carrying is the one that
I put on the debdiff (no-global-init-thread-callbacks.diff)


The previous patch (enable-global-init-secure-memory.patch)
applied on libgcrypt11/1.5.0-3ubuntu1 was the one that caused
the regression and was the patch reverted (.


This one seems to be fine and don't cause regression.


CC'ing Ubuntu maintainer.


Adam, can you confirm if the patch no-global-init-thread-callbacks.diff
is fine for fixing LP: #423252 or is causing some regression?

$ cat libgcrypt11-1.5.0/debian/patches/no-global-init-thread-callbacks.diff 
--- a/src/global.c
+++ b/src/global.c
@@ -445,8 +445,6 @@
 
     case GCRYCTL_SET_THREAD_CBS:
       err = ath_install (va_arg (arg_ptr, void *), any_init_done);
-      if (! err)
-	global_init ();
       break;
 
     case GCRYCTL_FAST_POLL:



Thanks!

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#658896; Package libgcrypt11. (Wed, 23 Jan 2013 18:51:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Carlos Alberto Lopez Perez <clopez@igalia.com>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Wed, 23 Jan 2013 18:51:05 GMT) Full text and rfc822 format available.

Message #89 received at 658896@bugs.debian.org (full text, mbox):

From: Carlos Alberto Lopez Perez <clopez@igalia.com>
To: Andreas Metzler <ametzler@downhill.at.eu.org>
Cc: 658896@bugs.debian.org, Adam Stokes <adam.stokes@canonical.com>
Subject: Re: Bug#658896: Please apply patch no_global_init_during_thread_callbacks.diff
Date: Wed, 23 Jan 2013 19:47:48 +0100
[Message part 1 (text/plain, inline)]
On 23/01/13 19:30, Carlos Alberto Lopez Perez wrote:
> On 23/01/13 19:04, Andreas Metzler wrote:
>> On 2013-01-23 Carlos Alberto Lopez Perez <clopez@igalia.com> wrote:
>>> severity 658896 serious
>>> thanks
>>> justification: Breaks unrelated software. It renders sudo unusable on systems with LDAP/PAM
>> [...]
>>
>>> What fixed the issue was applying the patch no_global_init_during_thread_callbacks.diff
>>> from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658896#28
>>
>>
>>> I'm attaching the debdiff. I rebuilt libgcrypt11 with the attached debdiff.
>>> After installing it, sudo works as expected.
>> [...]
>>
>> According to the experiences in Ubuntu it breaks other stuff:
>> https://bugs.launchpad.net/ubuntu/+source/libgcrypt11/+bug/1013798
>> (+ 2 merged bugreports)
>>
>> I do not know whether this is a fair exchange, or whether it could
>> be fixed simply. However applying the patch clearly comes at a cost.
>>
>> I am sorry I cannot be more helpful, but I am just not a programmer.
>>
>> cu andreas
> 
> If you download the last Ubuntu dsc for libgcrypt11
> 
> $ dget -u http://archive.ubuntu.com/ubuntu/pool/main/libg/libgcrypt11/libgcrypt11_1.5.0-3ubuntu2.1.dsc
> 
> 
> You will see that the patch they are carrying is the one that
> I put on the debdiff (no-global-init-thread-callbacks.diff)
> 
> 
> The previous patch (enable-global-init-secure-memory.patch)
> applied on libgcrypt11/1.5.0-3ubuntu1 was the one that caused
> the regression and was the patch reverted (.
> 
> 
> This one seems to be fine and don't cause regression.
> 
> 
> CC'ing Ubuntu maintainer.
> 
> 
> Adam, can you confirm if the patch no-global-init-thread-callbacks.diff
> is fine for fixing LP: #423252 or is causing some regression?
> 
> $ cat libgcrypt11-1.5.0/debian/patches/no-global-init-thread-callbacks.diff 
> --- a/src/global.c
> +++ b/src/global.c
> @@ -445,8 +445,6 @@
>  
>      case GCRYCTL_SET_THREAD_CBS:
>        err = ath_install (va_arg (arg_ptr, void *), any_init_done);
> -      if (! err)
> -	global_init ();
>        break;
>  
>      case GCRYCTL_FAST_POLL:
> 
> 
> 
> Thanks!
> 

Basically, this patch is reverting commit d769529a upstream

http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commitdiff;h=d769529a


Its from 2005 :\

Squeeze version of libgcrypt11 has this code and don't causes this problem.


Why we are running into this bug now? 

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#658896; Package libgcrypt11. (Wed, 23 Jan 2013 18:51:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andreas Metzler <ametzler@downhill.at.eu.org>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Wed, 23 Jan 2013 18:51:08 GMT) Full text and rfc822 format available.

Message #94 received at 658896@bugs.debian.org (full text, mbox):

From: Andreas Metzler <ametzler@downhill.at.eu.org>
To: Carlos Alberto Lopez Perez <clopez@igalia.com>, 658896@bugs.debian.org
Cc: Adam Stokes <adam.stokes@canonical.com>
Subject: Re: Bug#658896: Please apply patch no_global_init_during_thread_callbacks.diff
Date: Wed, 23 Jan 2013 19:48:52 +0100
On 2013-01-23 Carlos Alberto Lopez Perez <clopez@igalia.com> wrote:
> On 23/01/13 19:04, Andreas Metzler wrote:
> > On 2013-01-23 Carlos Alberto Lopez Perez <clopez@igalia.com> wrote:
..]
> >> I'm attaching the debdiff. I rebuilt libgcrypt11 with the attached debdiff.
> >> After installing it, sudo works as expected.
>> [...]

>> According to the experiences in Ubuntu it breaks other stuff:
>> https://bugs.launchpad.net/ubuntu/+source/libgcrypt11/+bug/1013798
>> (+ 2 merged bugreports)
[...]

> If you download the last Ubuntu dsc for libgcrypt11

> $ dget -u http://archive.ubuntu.com/ubuntu/pool/main/libg/libgcrypt11/libgcrypt11_1.5.0-3ubuntu2.1.dsc


> You will see that the patch they are carrying is the one that
> I put on the debdiff (no-global-init-thread-callbacks.diff)

> The previous patch (enable-global-init-secure-memory.patch)
> applied on libgcrypt11/1.5.0-3ubuntu1 was the one that caused
> the regression and was the patch reverted (.
[...]

Hello,

I am pretty sure you are mistaken.

Doublechecking LP #1013798 we find this:
https://bugs.launchpad.net/ubuntu/+source/libgcrypt11/+bug/1013798/comments/12
| I just found the apparent root cause for the libgcrypt11 crash:
| Ubuntu includes a patch called
| 'no_global_init_during_thread_callbacks.diff'

https://bugs.launchpad.net/ubuntu/+source/libgcrypt11/+bug/1013798/comments/23
| This bug was fixed in the package libgcrypt11 - 1.5.0-3ubuntu2
| [...]
|   * debian/patches/enable-global-init-secure-memory.patch:
|     Fix regression during disable/suspend of secure memory

https://bugs.launchpad.net/ubuntu/+source/libgcrypt11/+bug/1013798/comments/25
| Afaict this bug should not be marked as "fixed released" anymore because
| 1.5.0-3ubuntu2.1 reverted 1.5.0-3ubuntu2.

enable-global-init-secure-memory.patch would have fixed LP #1013798
but was reverted back to no-global-init-thread-callbacks.diff (which
fixes the sudo/LDAP issue) because the regression 
<https://bugs.launchpad.net/ubuntu/+source/libgcrypt11/+bug/1076906>
from no-global-init-thread-callbacks.diff to
enable-global-init-secure-memory.patch
was too severe.

LP #1013798 is still open and unfixed.

cu andreas



Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#658896; Package libgcrypt11. (Wed, 23 Jan 2013 19:27:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Carlos Alberto Lopez Perez <clopez@igalia.com>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Wed, 23 Jan 2013 19:27:06 GMT) Full text and rfc822 format available.

Message #99 received at 658896@bugs.debian.org (full text, mbox):

From: Carlos Alberto Lopez Perez <clopez@igalia.com>
To: Andreas Metzler <ametzler@downhill.at.eu.org>
Cc: 658896@bugs.debian.org, Adam Stokes <adam.stokes@canonical.com>
Subject: Re: Bug#658896: Please apply patch no_global_init_during_thread_callbacks.diff
Date: Wed, 23 Jan 2013 20:25:02 +0100
[Message part 1 (text/plain, inline)]
On 23/01/13 19:48, Andreas Metzler wrote:
> On 2013-01-23 Carlos Alberto Lopez Perez <clopez@igalia.com> wrote:
>> On 23/01/13 19:04, Andreas Metzler wrote:
>>> On 2013-01-23 Carlos Alberto Lopez Perez <clopez@igalia.com> wrote:
> ..]
>>>> I'm attaching the debdiff. I rebuilt libgcrypt11 with the attached debdiff.
>>>> After installing it, sudo works as expected.
>>> [...]
> 
>>> According to the experiences in Ubuntu it breaks other stuff:
>>> https://bugs.launchpad.net/ubuntu/+source/libgcrypt11/+bug/1013798
>>> (+ 2 merged bugreports)
> [...]
> 
>> If you download the last Ubuntu dsc for libgcrypt11
> 
>> $ dget -u http://archive.ubuntu.com/ubuntu/pool/main/libg/libgcrypt11/libgcrypt11_1.5.0-3ubuntu2.1.dsc
> 
> 
>> You will see that the patch they are carrying is the one that
>> I put on the debdiff (no-global-init-thread-callbacks.diff)
> 
>> The previous patch (enable-global-init-secure-memory.patch)
>> applied on libgcrypt11/1.5.0-3ubuntu1 was the one that caused
>> the regression and was the patch reverted (.
> [...]
> 
> Hello,
> 
> I am pretty sure you are mistaken.
> 
> Doublechecking LP #1013798 we find this:
> https://bugs.launchpad.net/ubuntu/+source/libgcrypt11/+bug/1013798/comments/12
> | I just found the apparent root cause for the libgcrypt11 crash:
> | Ubuntu includes a patch called
> | 'no_global_init_during_thread_callbacks.diff'
> 
> https://bugs.launchpad.net/ubuntu/+source/libgcrypt11/+bug/1013798/comments/23
> | This bug was fixed in the package libgcrypt11 - 1.5.0-3ubuntu2
> | [...]
> |   * debian/patches/enable-global-init-secure-memory.patch:
> |     Fix regression during disable/suspend of secure memory
> 
> https://bugs.launchpad.net/ubuntu/+source/libgcrypt11/+bug/1013798/comments/25
> | Afaict this bug should not be marked as "fixed released" anymore because
> | 1.5.0-3ubuntu2.1 reverted 1.5.0-3ubuntu2.
> 
> enable-global-init-secure-memory.patch would have fixed LP #1013798
> but was reverted back to no-global-init-thread-callbacks.diff (which
> fixes the sudo/LDAP issue) because the regression 
> <https://bugs.launchpad.net/ubuntu/+source/libgcrypt11/+bug/1076906>
> from no-global-init-thread-callbacks.diff to
> enable-global-init-secure-memory.patch
> was too severe.
> 
> LP #1013798 is still open and unfixed.
> 
> cu andreas
> 

I see. Thanks for the clarification

I can confirm that this patch is breaking python-gnutls:

$ python
Python 2.7.3 (default, Sep  9 2012, 17:41:34)
[GCC 4.7.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import gnutls.crypto
Segmentation fault


There is only one reverse-dependency for python-gnutls on the archive:

$ apt-rdepends -r python-gnutls
Reading package lists... Done
Building dependency tree
Reading state information... Done
python-gnutls
  Reverse Depends: mandos (1.6.0-1)
mandos


[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#658896; Package libgcrypt11. (Thu, 24 Jan 2013 23:48:16 GMT) Full text and rfc822 format available.

Acknowledgement sent to Carlos Alberto Lopez Perez <clopez@igalia.com>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Thu, 24 Jan 2013 23:48:16 GMT) Full text and rfc822 format available.

Message #104 received at 658896@bugs.debian.org (full text, mbox):

From: Carlos Alberto Lopez Perez <clopez@igalia.com>
To: Andreas Metzler <ametzler@downhill.at.eu.org>, adam.stokes@canonical.com
Cc: 368297@bugs.debian.org, 545414@bugs.debian.org, 566351@bugs.debian.org, 579647@bugs.debian.org, 601667@bugs.debian.org, 628671@bugs.debian.org, 658896@bugs.debian.org, pkg-openldap-devel@lists.alioth.debian.org, pkg-gnutls-maint@lists.alioth.debian.org, control@bugs.debian.org
Subject: [PATCH] Fix dropping privileges issue on setuid programs on systems with PAM/LDAP and GnuTLS/libgcrypt
Date: Fri, 25 Jan 2013 00:44:21 +0100
[Message part 1 (text/plain, inline)]
reassign 368297 libldap-2.4 2.4.31-1
thanks

Hi!


I have been digging on this issue and I found the ultimate cause of this
problem.


When sudo/su/passwd/<insert-any-setuid-program-that-calls-getpwent()> on
a system configured with PAM/LDAPs it chains into libldap, which uses
GnuTLS/libgcrypt to manage the TLS channel.


The problem is that when OpenLDAP calls gnutls_global_init(), this
function does nothing because OpenLDAP had previously already
initialized libgcrypt at some point on the stack (probably by mistake).

So, gnutls_global_init() checks that some basic initialization of
libgcrypt was already done and skips completely any action.

The problem is that gnutls_global_init() is supposed to set the flag
GCRYCTL_DISABLE_SECMEM which disables both the use of secure memory
*and* the "feature" of dropping privileges that libgcrypt has. [1]

So, what is happening is that the initialization of libgcrypt is not
being done as expected.

I cooked a very small patch that, just after calling
gnutls_global_init() checks if the initialization was successful, and if
was not, then it sets this flag (DISABLE_SECMEM)

I understand that (perhaps) the right fix could be to patch GnuTLS to
check for INITIALIZATION_FINISHED instead of ANY_INITIALIZATION. But
there are two problems with this:

 * One is that this could introduce some regression or bug on some
program that could be (wrongly) relying on this "feature" of GnuTLS.
Keep in mind that this code has been there since the beginning of the
project (I was blaming the git repository)


* The second problem is that GnutTLS (upstream) completely dropped the
support for libgcrypt (they even removed the code). So IMHO it don't
makes sense to fix GnuTLS at this point. For Jessie, GnuTLS should
switch to nettle. And OpenLDAP will have to switch to another crypto
library other than libgcrypt, or will have to patch the file
libraries/libldap/tls_g.c to stop using any GnuTLS code.


So, for the moment (Wheezy) I think the best approach to solve this bug
is to apply the small patch for OpenLDAP that I'm attaching.
It is the less intrusive approach to fix this bug. It don't needs to
touch anything on GnuTLS or libgcrypt. It is really fixing the problem
where is: OpenLDAP is not setting DISABLE_SECMEM when initializing
libgcrypt.

The approach taken by Ubuntu, to patch libgcrypt (LP: #423252), already
caused some regressions (LP: #1013798)


If someone wants to try it, I have uploaded the debs (AMD64) and the
sources to this URL:

http://ftp.neutrino.es/debian/OpenLDAP/


I tested that with this small patch the problem goes completely away.

Example of test:
----------------
1) Install current libldap-2.4-2 from Wheezy and test sudo:
root ~ # apt-get install --reinstall libldap-2.4-2=2.4.31-1

clopez ~ $ sudo whoami
[sudo] password for clopez:
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: unable to open /var/lib/sudo/clopez/8: Operation not permitted
sudo: unable to set supplementary group IDs: Operation not permitted
sudo: unable to execute /usr/bin/whoami: Operation not permitted


2) Install fixed libldap-2.4-2 and test sudo:
root ~ # wget
http://ftp.neutrino.es/debian/OpenLDAP/libldap-2.4-2_2.4.31-1.1_amd64.deb
root ~ # dpkg -i libldap-2.4-2_2.4.31-1.1_amd64.deb


clopez ~ $ sudo whoami
[sudo] password for clopez:
root
-------------

Therefore I'm reassigning this bug to libldap-2.4 (src:OpenLDAP)

Attached is also a debdiff for src:OpenLDAP


Read the comments inside the patch for further information.


I'm CC'ing libgcrypt/OpenLDAP/GnuTLS maintainers and will be later
reporting on Ubuntu's LP this.



Regards!
--------

[1]
http://lists.debian.org/debian-devel/2010/03/msg00298.html
https://bugs.g10code.com/gnupg/issue1181
[debdiff_openldap_fix-dropping-privileges-by-libgcrypt-secmem.debdiff (text/plain, attachment)]
[fix-dropping-privileges-by-libgcrypt-secmem.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Bug reassigned from package 'libgcrypt11' to 'libldap-2.4'. Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Thu, 24 Jan 2013 23:48:20 GMT) Full text and rfc822 format available.

No longer marked as found in versions libgcrypt11/1.4.4-6. Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Thu, 24 Jan 2013 23:48:22 GMT) Full text and rfc822 format available.

Marked as found in versions 2.4.31-1. Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Thu, 24 Jan 2013 23:48:24 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, unknown-package@qa.debian.org:
Bug#658896; Package libldap-2.4. (Fri, 25 Jan 2013 02:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Howard Chu <hyc@symas.com>:
Extra info received and forwarded to list. Copy sent to unknown-package@qa.debian.org. (Fri, 25 Jan 2013 02:24:03 GMT) Full text and rfc822 format available.

Message #115 received at 658896@bugs.debian.org (full text, mbox):

From: Howard Chu <hyc@symas.com>
To: 658896@bugs.debian.org
Subject: LDAP, GnuTLS/libgcrypt
Date: Fri, 25 Jan 2013 02:00:33 +0000
> Hi!
>
>
> I have been digging on this issue and I found the ultimate cause of this
> problem.
>
>
> When sudo/su/passwd/<insert-any-setuid-program-that-calls-getpwent()> on
> a system configured with PAM/LDAPs it chains into libldap, which uses
> GnuTLS/libgcrypt to manage the TLS channel.
>
>
> The problem is that when OpenLDAP calls gnutls_global_init(), this
> function does nothing because OpenLDAP had previously already
> initialized libgcrypt at some point on the stack (probably by mistake).

For the record, there is no mistake in OpenLDAP. And also for the record, we 
on the OpenLDAP Project warned you guys multiple times that GnuTLS/libgcrypt 
are broken by design, and should not be used. (E.g. as I noted here 
https://bugs.launchpad.net/debian/+source/sudo/+bug/423252/comments/62)

The libgcrypt documentation states in section 2.5 that you *must* set the 
thread callbacks before calling *any* other libgcrypt functions. libldap's 
code does that. It's not our fault that libgcrypt's design is so broken that 
even when you use it as documented it doesn't work. We've been telling you for 
*years* that GnuTLS is broken by design.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/



Bug reassigned from package 'libldap-2.4' to 'libldap-2.4-2'. Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Fri, 25 Jan 2013 03:09:12 GMT) Full text and rfc822 format available.

No longer marked as found in versions 2.4.31-1. Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Fri, 25 Jan 2013 03:09:14 GMT) Full text and rfc822 format available.

Marked as found in versions openldap/2.4.31-1. Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Fri, 25 Jan 2013 03:09:17 GMT) Full text and rfc822 format available.

Unset Bug forwarded-to-address Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Fri, 25 Jan 2013 04:27:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>:
Bug#658896; Package libldap-2.4-2. (Mon, 28 Jan 2013 20:48:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Carlos Alberto Lopez Perez <clopez@igalia.com>:
Extra info received and forwarded to list. Copy sent to Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>. (Mon, 28 Jan 2013 20:48:06 GMT) Full text and rfc822 format available.

Message #128 received at 658896@bugs.debian.org (full text, mbox):

From: Carlos Alberto Lopez Perez <clopez@igalia.com>
To: Howard Chu <hyc@symas.com>
Cc: 658896@bugs.debian.org
Subject: Re: LDAP, GnuTLS/libgcrypt
Date: Mon, 28 Jan 2013 21:37:57 +0100
[Message part 1 (text/plain, inline)]
On 25/01/13 03:00, Howard Chu wrote:
>> Hi!
>>
>>
>> I have been digging on this issue and I found the ultimate cause of this
>> problem.
>>
>>
>> When sudo/su/passwd/<insert-any-setuid-program-that-calls-getpwent()> on
>> a system configured with PAM/LDAPs it chains into libldap, which uses
>> GnuTLS/libgcrypt to manage the TLS channel.
>>
>>
>> The problem is that when OpenLDAP calls gnutls_global_init(), this
>> function does nothing because OpenLDAP had previously already
>> initialized libgcrypt at some point on the stack (probably by mistake).
> 
> For the record, there is no mistake in OpenLDAP. And also for the
> record, we on the OpenLDAP Project warned you guys multiple times that
> GnuTLS/libgcrypt are broken by design, and should not be used. (E.g. as
> I noted here
> https://bugs.launchpad.net/debian/+source/sudo/+bug/423252/comments/62)
> 
> The libgcrypt documentation states in section 2.5 that you *must* set
> the thread callbacks before calling *any* other libgcrypt functions.
> libldap's code does that. It's not our fault that libgcrypt's design is
> so broken that even when you use it as documented it doesn't work. We've
> been telling you for *years* that GnuTLS is broken by design.
> 

I agree with you.

But, keep in mind that GnuTLS not longer supports libgcrypt (they even
removed the code from their repository). They now only support libnettle.

So there is no point at all in trying to fix GnuTLS now.

The upstream OpenLDAP project should probably have to remove support for
libgcrypt from their code.

And about the idea of patching the GnuTLS version that Debian Wheezy
ships (with libgcrypt support) I'm afraid that this could break some
unrelated package that relies in this broken design of GnuTLS/libgcrypt.

And for Wheezy+1 GnuTLS will have to migrate to the new version (with
nettle), so IMHO there is no point in fixing it now.

On the other hand, I feel like this small patch for OpenLDAP is the less
intrusive approach to make things just work for Wheezy.


Regards!
--------

[signature.asc (application/pgp-signature, attachment)]

Merged 368297 545414 566351 579647 601667 628671 658739 658896 Request was from Carlos Alberto Lopez Perez <clopez@igalia.com> to control@bugs.debian.org. (Tue, 05 Feb 2013 03:24:15 GMT) Full text and rfc822 format available.

Removed tag(s) d-i. Request was from Adam D. Barratt <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Wed, 20 Feb 2013 11:33:02 GMT) Full text and rfc822 format available.

Bug reassigned from package 'libldap-2.4-2' to 'libgcrypt11'. Request was from Michael Gilbert <mgilbert@debian.org> to control@bugs.debian.org. (Sun, 14 Apr 2013 18:39:08 GMT) Full text and rfc822 format available.

No longer marked as found in versions openldap/2.4.31-1. Request was from Michael Gilbert <mgilbert@debian.org> to control@bugs.debian.org. (Sun, 14 Apr 2013 18:39:12 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#658896; Package libgcrypt11. (Mon, 22 Apr 2013 16:33:34 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Mon, 22 Apr 2013 16:33:34 GMT) Full text and rfc822 format available.

Message #141 received at 658896@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Carlos Alberto Lopez Perez <clopez@igalia.com>, 368297@bugs.debian.org
Cc: Andreas Metzler <ametzler@downhill.at.eu.org>, adam.stokes@canonical.com, 545414@bugs.debian.org, 566351@bugs.debian.org, 579647@bugs.debian.org, 601667@bugs.debian.org, 628671@bugs.debian.org, 658896@bugs.debian.org, pkg-openldap-devel@lists.alioth.debian.org, pkg-gnutls-maint@lists.alioth.debian.org, control@bugs.debian.org
Subject: Re: Bug#368297: [PATCH] Fix dropping privileges issue on setuid programs on systems with PAM/LDAP and GnuTLS/libgcrypt
Date: Mon, 22 Apr 2013 18:30:11 +0200
[Message part 1 (text/plain, inline)]
tags 368297 + wheezy-ignore
user release.debian.org@packages.debian.org
usertag 368297 + wheezy-can-defer

On Fri, Jan 25, 2013 at 00:44:21 +0100, Carlos Alberto Lopez Perez wrote:

> When sudo/su/passwd/<insert-any-setuid-program-that-calls-getpwent()> on
> a system configured with PAM/LDAPs it chains into libldap, which uses
> GnuTLS/libgcrypt to manage the TLS channel.
> 
So I've tried to reproduce that, by installing sudo-ldap, slapd,
lib{nss,pam}-ldap, ssl-cert and configuring stuff to use
ldaps://localhost.  Seems like things work when the user is in
/etc/passwd, and fail if they're in ldap.
The failure goes away when switching to lib{nss,pam}-ldapd, which was
already the recommended workaround for this bug in squeeze.

I understand that some use cases aren't supported by this alternative,
but:
- AIUI this was already the case in squeeze
- the way forward is probably to improve on them, for jessie, not try
  and keep lib{nss,pam}-ldap around indefinitely

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Added tag(s) wheezy-ignore. Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Mon, 22 Apr 2013 16:33:40 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#658896; Package libgcrypt11. (Mon, 29 Apr 2013 12:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Brian Kroth <bpkroth@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Mon, 29 Apr 2013 12:27:04 GMT) Full text and rfc822 format available.

Message #148 received at 658896@bugs.debian.org (full text, mbox):

From: Brian Kroth <bpkroth@gmail.com>
To: 658896@bugs.debian.org
Cc: simonft@riseup.net
Subject: not fixed - please don't ignore this bug for wheezy
Date: Mon, 29 Apr 2013 07:21:54 -0500
[Message part 1 (text/plain, inline)]
Sorry for the late reply, I've been out on leave and for some reason 
wasn't getting the responses to these bugs even though I've subscribed.

I hate to dredge this up again given the release announcement, but 
there's been a lot of confusion about this and related bugs and I think 
our particular problem was lost.

There are two separate issues as I see them:

When using starttls or ldaps:// in a pam_ldap.conf* file, then

1) If I try to do a su non-root-user, then I get a setgid error:

# /bin/su - bkroth
Password:
setgid: Operation not permitted

As was correctly reported, this was an error in squeeze as well, and is 
not our primary concern (though if it were fixed as well, I wouldn't be 
upset :).

2) If I try to sudo (not sudo-ldap), it fails with a "setresuid error":

# sudo -s
bpkroth@faitest64's sudo password:
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: unable to open /var/lib/sudo/bpkroth/1: Operation not permitted
sudo: unable to set supplementary group IDs: Operation not permitted
sudo: unable to execute /bin/bash: Operation not permitted

This *was* working in squeeze just fine.

This is part of the bug that I'm very concerned about.  We depend upon 
it for a number of different things, including automated monitoring and 
repair, authenticating users to specific services such as dovecot, etc.

Also, libpam-ldapd does *not* solve this problem, for two reasons:

a) It doesn't actually fix the setresuid problem (2)!  I've tested this.
<edit>
Actually, I take that back.  It seems one of the recent updates fixed 
this part at least.
</edit>


b) libpam-ldapd can only use a single global configuration file.  We 
need libpam-ldap's (no d) ability to reference different pam_ldap.conf 
files from different /etc/pam.d/service files in order to specify 
different ldap filters, base ou lookups, etc. settings for service 
specific authentications.

For instance, dovecot is configured to only accept users with "filter 
custom_acl_attr=mail", whereas sudo (on that same machine) is configured 
to only authenticate users in an "ou=Sudo,ou=People" part of the ldap 
tree.  There are several other examples of this such as cron, ssh, and 
others.  Note, we also make use of pam_access for certain restrictions, 
but this is an incomplete solution since it doesn't allow attribute or 
ou ldap filters.

On my my colleagues (Simon Fondrie-Teitler) tells me that one or more 
patches were able to fix problem (2), though I've been out on leave and 
don't recall which ones exactly so I'll let him comment with specific 
details on that.

Please let us know what we can help to do to fix this.  We really can't 
move forward on wheezy in our environment without it.

Thanks,
Brian
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#658896; Package libgcrypt11. (Tue, 30 Apr 2013 16:12:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon Fondrie-Teitler <simonft@riseup.net>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Tue, 30 Apr 2013 16:12:04 GMT) Full text and rfc822 format available.

Message #153 received at 658896@bugs.debian.org (full text, mbox):

From: Simon Fondrie-Teitler <simonft@riseup.net>
To: 658896@bugs.debian.org
Cc: Julien Cristau <jcristau@debian.org>, Brian Kroth <bpkroth@gmail.com>
Subject: Re: not fixed - please don't ignore this bug for wheezy
Date: Tue, 30 Apr 2013 11:03:30 -0500
Brian Kroth <bpkroth@gmail.com> writes:
> On my my colleagues (Simon Fondrie-Teitler) tells me that one or more
> patches were able to fix problem (2), though I've been out on leave
> and don't recall which ones exactly so I'll let him comment with
> specific details on that.

The patch given by Carlos here [0] allows openLDAP to use TLS without
problem and restores the functionality present in squeeze.

Since there is obvious new breakage from squeeze, is it possible to
reconsider the wheezy-ignore tag?

Thanks,
Simon Fondrie-Teitler

0. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658896#104



Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#658896; Package libgcrypt11. (Thu, 17 Oct 2013 11:18:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Joel Rosental R." <joel.rosental@imdea.org>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Thu, 17 Oct 2013 11:18:05 GMT) Full text and rfc822 format available.

Message #158 received at 658896@bugs.debian.org (full text, mbox):

From: "Joel Rosental R." <joel.rosental@imdea.org>
To: 658896@bugs.debian.org
Subject: Bug status?
Date: Thu, 17 Oct 2013 13:05:52 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I'm running several machines with Debian 7 (Wheezy) and have experience
the problem described in bug #658896. I'd like to know whether are there
some updates about this or an estimate of when will it be fixed on Wheezy.

I'd be glad to help if you require it.

Best Regards.

- -- 
Joel Rosental R.
Systems Administrator
GPG Key Fingerprint = A9BF 3386 4371 2D14 C05D  7B91 2652 661F 7DB7 5B58

Tel: +34 91 481 69 87
Web: http://www.networks.imdea.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSX8SQAAoJECZSZh99t1tYYAYH/jkHTsJVi6hcLJPreS3ONvBq
ZifDlX1rGotOfANYCBxm2+EhUcZ3H2dp+PrHtgizIDvoDpoREsnXtnS1JScL47Jf
TxtVvDolqfugIjKe3yH39HcPHEg04MDQFFzCJslxie5FGO/ngML3fnYrHm8vsnde
ZMWCXt/3cOq/KYf5zKe9U2M8eCD6Bmx/6U8KJ0MQcAuGnBXP9UOGKCpzARQjeeIJ
6asmayE3y/J+exuZE7E7uwP9LJ3zF5rx/A/g0JyVTos9udoXWQ7dXLNSYzJ4XQ1C
j/h7K7uzSpBW1EThqASBKoU2108PeVB/lYRe/xX4nk479Umn/HLOuJLUSmNgcho=
=8/qm
-----END PGP SIGNATURE-----




Added tag(s) squeeze-ignore. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Wed, 06 Nov 2013 02:33:21 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#658896; Package libgcrypt11. (Fri, 14 Mar 2014 15:45:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Gabriel Filion <gabster@lelutin.ca>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Fri, 14 Mar 2014 15:45:05 GMT) Full text and rfc822 format available.

Message #165 received at 658896@bugs.debian.org (full text, mbox):

From: Gabriel Filion <gabster@lelutin.ca>
To: 658896@bugs.debian.org
Subject: Still an issue
Date: Fri, 14 Mar 2014 11:33:24 -0400
[Message part 1 (text/plain, inline)]
Hi there,

I just stumbled upon this bug as well. We're +/- one year after the
wheezy release and this is still an issue.

It seems as though one patch was able to fix the problem, and even
though we're considering a change of librairies for jessie, it would be
really helpful to fix this in wheezy.

-- 
Gabriel Filion

[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 03:11:56 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.