LDAP account via SSL cannot use setuid binaries until gnutls26 is rebuilt with nettle not libgcrypt11

Status changed to 'Confirmed' because the bug affects multiple users.

PPA with patch for the benefit of other affected people:
https://launchpad.net/~nutznboltz/+archive/gnutls26-with-nettle

Has a severe impact on a small portion of Ubuntu users (estimated) -> High

@ubuntu-treblig I do so appreciate your wisdom.

Debian bug for this issue:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658739

I tried installing sssd and the error message only prints the first line:

$ sudo id
sudo: setresuid(ROOT_UID, ROOT_UID, ROOT_UID): Operation not permitted

The sssd.conf file is a copy of one that works on CentOS 6.

That was with the libgcrypt11 GnuTLS package (2.12.14-5ubuntu2).

Once I switch back to a GnuTLS with nettle then sssd works, supporting sudo.

Added regression-release tag based on advice in
https://wiki.ubuntu.com/QATeam/RegressionTracking

Let me see if I understand. The reason this bug is not going to be fixed is:

* Only some of the software distributed by Debian and Canonical under the GNU General Public License Version 2 includes a clause that says you can use future versions of that license AND
* Some of the libraries have converted to future versions of that license (e.g. GNU General Public License Version 3.) AND
* In particular gmp-5.0.2+dfsg ("libgmp10") is licensed under LGPLv3 while it is unproven if all of the software that links against it is compatible with that license AND
* There is no automated system for tracking software license dependencies AND
* Such a system is not available due to lack of reliably-machine-readable software license data AND
* A project known as DEP-5 ( http://dep.debian.net/deps/dep5/ ) exists to provide (develop) reliably-machine-readable software license data AND
* If DEP-5 were completed all it would provide is detailed knowledge about software license interactions so that the areas which need work could be identified.

Please correct me if any of the above in this comment is not correct. Thank you.

nutznbolts: Where do you see something saying 'this bug is not going to be fixed?'

ubuntu-treblig: go to https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/926350
and search for: Colin Watson: Needs Information on 2012-02-11
then explain just how that information will be provided.

ubuntu-treblig: when you can answer my question then I will be able to answer yours.

nutznboltz: OK, that question is best answered by Colin, you might want to add your question to the comment field on the review. (I don't know the answer)

I'm beginning to suspect that the best answer is to not ask any more questions.

nutznbolts: Please keep asking questions; but please be nice about it - I'm just triaging this bug, I've not worked on this package and don't know the answers - and there are lots and lots of important bugs in the database.
License problems are always a bit hairy, and Colin is right to ask that question.

DEP-5: Patches pushed to the Debian Policy repository
http://lists.debian.org/debian-policy/2012/02/msg00078.html

The DEP-5 specification v1.0 was released on Monday February 22, 2012 as part of debian-policy_3.9.3.0_all.deb

Is anything being done about this bug? This is a serious bug that would stop 12.04 from being used in many enterprise deployments. In our environment, we have mixed Mac and Linux workstations, and many Linux (CentOS, Debian, and Ubuntu) servers. We use LDAP for authentication, and the only way to administer the Ubuntu 12.04 systems is to enable root logins and ssh in directly as root.

Hi all,

this bug has been brought to my attention by my boss today.
If I understand the situation correctly, the problem is:

• OpenLDAP links against GnuTLS (gnutls26)
• gnutls26 links against gcrypt, which has the bug
• gnutls28 links against nettle, but also gmp which is LGPLv3+
• OpenLDAP thus can’t link against gnutls28, as it has reverse
  dependencies that are not LGPLv3-/GPLv3-compatible
• the package affected is libnss-ldap though

For some reason, neither nscd nor unscd seem to be able to
work around this bug, so it has become rather critical (e.g.
for use in company networks).

Why not do a readline and provide *two* versions of the
OpenLDAP client libraries, keep libldap-2.4-2 linked
against gnutls26 and add another shared library plus
development package (with at least the two shared library
packages coïnstallable) to link against gnutls28 and build
these BOTH from the SAME source package at the SAME time,
so an upload of OpenLDAP will not need another package to
be (re-)built to stay in sync.

Did anyone think of it already and will shoot this idea
down immediately? Or could it work?

bye,
//mirabilos • <email address hidden>
--
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Elmar Geese

A quick workaround that solved my problem with this:

First install libnss-ldap
Configure ldap stuff, test if you can login but can't use setuid apps.
Then install nslcd and configure.

After these steps my system is working, and allowing me to login with ldap account and use sudo.

This bug is pretty serious, any enterprise who has more than one linux box, is using ldap to authenticate.
And this is a show stopper......

This should be fixed ASAP.

here is the process which i followed to fix the issue

In case if someone else has an issue with sudo access with 12.04. They need to reinstall the gnutls library with nettle not with lingcrypt. As the libgcrypt library is broken. Here is the process

# apt-get source gnutls26

remove --with-libgcrypt from the debian/rules file. build using this command

# debuild -i -uc -us -b

install using

# make install

That's it.

I can confirm comment #22 resolved this for me on 12.04, but I had to pull in the following dependencies to build successfully.

# apt-get install devscripts libgcrypt11-dev zlib1g-dev cdbs gtk-doc-tools texinfo libtasn1-3-dev autotools-dev datefudge libp11-kit-dev pkg-config chrpath

Also, forgot to include...

# apt-get install nettle-dev libnettle4

I confirm that coments #22, 23 and 24 fixed the problem.