NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Release Notes for Ubuntu |
Fix Released
|
Undecided
|
Unassigned | ||
libgcrypt |
Fix Released
|
Unknown
|
|||
libgcrypt11 (Debian) |
Fix Released
|
Unknown
|
|||
libgcrypt11 (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Karmic |
Won't Fix
|
Medium
|
Unassigned | ||
Lucid |
Fix Released
|
Medium
|
Canonical Foundations Team | ||
Maverick |
Won't Fix
|
Medium
|
Canonical Foundations Team | ||
Natty |
Won't Fix
|
Medium
|
Unassigned | ||
Oneiric |
Won't Fix
|
Medium
|
Unassigned | ||
Precise |
Fix Released
|
Medium
|
Unassigned |
Bug Description
SRU Request:
[Impact]
As heavily outlined in the amount of comments in this bug the impact is detrimental to both community and enterprise users alike.
[Development Fix]
Howard Chu released a patch in #73 which was later confirmed in #106 & #108 as a resolution.
[Stable Fix]
Patch from #73 can be applied cleanly to Lucid and new distributions.
[Test Case]
On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd' field to anything with 'ldap' as the first item breaks the ability to become root using 'su' and 'sudo' as anyone but root.
Default nsswitch.conf:
passwd: compat
group: compat
shadow: compat
matt@box:~$ sudo uname -a
[sudo] password for matt:
Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux
matt@box:~$ su -
Password:
root@box:~#
Modified nsswitch.conf with 'ldap' before 'compat':
passwd: ldap compat
group: ldap compat
shadow: ldap compat
matt@box:~$ sudo uname -a
sudo: setreuid(ROOT_UID, user_uid): Operation not permitted
matt@box:~$ su -
Password:
setgid: Operation not permitted
Modified nsswitch.conf with 'ldap' after 'compat':
passwd: compat ldap
group: compat ldap
shadow: compat ldap
matt@box:~$ sudo uname -a
[sudo] password for matt:
Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux
matt@box:~$ su -
Password:
root@box:~#
The same arrangements in nsswitch.conf work as expected in Jaunty and earlier releases.
[Regression Potential]
This should be minimal as the code change only addresses the duplicating global_init during thread callbacks.
Lucid Release Note:
== NSS via LDAP+SSL breaks setuid applications like sudo ==
Upgrading systems configured to use ldap over ssl as the first service in the nss stack (in nsswitch.conf) leads to a broken nss resolution for setuid applications after the upgrade to Lucid (for example sudo would stop working). There isn't any simple workaround for now. One option is to switch to libnss-ldapd in place of libnss-ldap before the upgrade. Another one consists in using nscd before the upgrade.
Related branches
- Brian Murray: Needs Fixing
-
Diff: 1188 lines (+1133/-2)8 files modified.pc/.quilt_patches (+1/-0)
.pc/.quilt_series (+1/-0)
.pc/applied-patches (+1/-0)
.pc/no-global-init-thread-callbacks.diff/src/global.c (+1112/-0)
debian/changelog (+6/-0)
debian/patches/no-global-init-thread-callbacks.diff (+11/-0)
debian/patches/series (+1/-0)
src/global.c (+0/-2)
summary: |
- NSS using LDAP on Karmic (alpha 4) breaks 'su' and 'sudo' + NSS using LDAP on Karmic breaks 'su' and 'sudo' |
Changed in sudo (Debian): | |
status: | Unknown → Confirmed |
tags: | added: glucid |
Changed in sudo (Ubuntu Lucid): | |
importance: | Undecided → Medium |
Changed in libnss-ldap (Ubuntu Lucid): | |
importance: | Undecided → Medium |
Changed in sudo (Kairos Linux): | |
assignee: | nobody → Philipp Kaluza (pixelpapst) |
importance: | Undecided → High |
status: | New → Confirmed |
Changed in sudo (Ubuntu Lucid): | |
assignee: | nobody → Mathias Gug (mathiaz) |
Changed in eglibc (Ubuntu Karmic): | |
status: | New → Invalid |
Changed in eglibc (Ubuntu Lucid): | |
status: | New → Invalid |
Changed in libnss-ldap (Ubuntu Karmic): | |
status: | New → Invalid |
Changed in libnss-ldap (Ubuntu Lucid): | |
status: | New → Invalid |
Changed in sudo (Ubuntu Karmic): | |
status: | New → Invalid |
Changed in sudo (Ubuntu Lucid): | |
status: | New → Invalid |
Changed in libgcrypt11 (Ubuntu Karmic): | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in libgcrypt11 (Ubuntu Lucid): | |
importance: | Undecided → Medium |
status: | New → Triaged |
summary: |
- NSS using LDAP on Karmic breaks 'su' and 'sudo' + NSS using LDAP+SSL breaks setuid applications like su and sudo |
description: | updated |
Changed in ubuntu-release-notes: | |
status: | New → Confirmed |
tags: | added: regression-release |
Changed in libgcrypt11 (Ubuntu Lucid): | |
milestone: | none → lucid-updates |
Changed in ubuntu-release-notes: | |
status: | Confirmed → Fix Released |
Changed in ubuntu-release-notes: | |
status: | Fix Released → Confirmed |
Changed in ubuntu-release-notes: | |
status: | Confirmed → Fix Released |
Changed in ubuntu-release-notes: | |
status: | Fix Released → Confirmed |
Changed in ubuntu-release-notes: | |
status: | Confirmed → Fix Released |
Changed in libgcrypt11 (Debian): | |
status: | Unknown → Confirmed |
tags: | added: patch |
summary: |
- NSS using LDAP+SSL breaks setuid applications like su and sudo + NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 + suexec, and atd |
Changed in eglibc (Ubuntu Maverick): | |
status: | New → Invalid |
Changed in libgcrypt11 (Ubuntu Maverick): | |
importance: | Undecided → Medium |
milestone: | none → maverick-updates |
status: | New → Triaged |
Changed in sudo (Ubuntu Maverick): | |
status: | New → Invalid |
Changed in libgcrypt11 (Ubuntu): | |
status: | Triaged → Confirmed |
Changed in libgcrypt11 (Ubuntu Karmic): | |
status: | Triaged → Won't Fix |
Changed in libgcrypt11 (Ubuntu Lucid): | |
status: | Triaged → Confirmed |
Changed in libgcrypt11 (Ubuntu Maverick): | |
status: | Triaged → Confirmed |
Changed in libgcrypt11 (Ubuntu Maverick): | |
assignee: | nobody → Canonical Foundations Team (canonical-foundations) |
Changed in libgcrypt11 (Ubuntu Lucid): | |
assignee: | nobody → Canonical Foundations Team (canonical-foundations) |
Changed in libnss-ldap (Ubuntu Maverick): | |
status: | New → Confirmed |
tags: | added: precise |
no longer affects: | openldap (Ubuntu) |
no longer affects: | openldap (Ubuntu Karmic) |
no longer affects: | openldap (Ubuntu Lucid) |
no longer affects: | openldap (Ubuntu Maverick) |
Changed in gnutls26 (Debian): | |
status: | Unknown → New |
description: | updated |
description: | updated |
Changed in libgcrypt11 (Ubuntu Maverick): | |
status: | Confirmed → Won't Fix |
Changed in libgcrypt11 (Ubuntu Precise): | |
status: | New → Fix Committed |
Changed in libgcrypt11 (Ubuntu Oneiric): | |
status: | New → Fix Committed |
Changed in libgcrypt11 (Ubuntu Natty): | |
status: | New → Fix Committed |
tags: | added: verification-done verification-done-precise |
Changed in libgcrypt11 (Ubuntu Lucid): | |
status: | Confirmed → Fix Committed |
tags: | removed: verification-done-precise |
tags: | added: verification-done-lucid |
no longer affects: | eglibc (Ubuntu) |
no longer affects: | libnss-ldap (Ubuntu) |
no longer affects: | sudo (Ubuntu) |
Changed in gnutls26 (Debian): | |
status: | New → Confirmed |
Changed in eglibc (Ubuntu Natty): | |
status: | New → Invalid |
Changed in eglibc (Ubuntu Oneiric): | |
status: | New → Invalid |
Changed in libgcrypt11 (Ubuntu Natty): | |
status: | Fix Committed → Invalid |
Changed in libgcrypt11 (Ubuntu Oneiric): | |
status: | Fix Committed → Invalid |
Changed in libnss-ldap (Ubuntu Natty): | |
status: | New → Invalid |
Changed in libnss-ldap (Ubuntu Oneiric): | |
status: | New → Invalid |
Changed in sudo (Ubuntu Natty): | |
status: | New → Invalid |
Changed in sudo (Ubuntu Oneiric): | |
status: | New → Invalid |
Changed in openldap (Debian): | |
importance: | Undecided → Unknown |
status: | New → Unknown |
Changed in sudo (Debian): | |
status: | Confirmed → Unknown |
Changed in openldap (Debian): | |
status: | Unknown → Confirmed |
Changed in sudo (Debian): | |
status: | Unknown → Confirmed |
Changed in libgcrypt: | |
status: | Unknown → Fix Released |
affects: | openldap (Debian) → libnss-ldap (Debian) |
tags: | removed: glucid |
Changed in sudo (Ubuntu Precise): | |
status: | New → Invalid |
Changed in eglibc (Ubuntu Precise): | |
status: | New → Invalid |
Changed in libnss-ldap (Ubuntu Precise): | |
status: | New → Invalid |
tags: | added: karmic lucid verification-done-precise |
tags: | removed: lucid precise |
affects: | eglibc (Ubuntu Karmic) → gnutls26 (Ubuntu Karmic) |
Changed in libgcrypt11 (Debian): | |
status: | Confirmed → Fix Released |
Changed in libnss-ldap (Debian): | |
status: | Confirmed → Fix Released |
Changed in gnutls26 (Debian): | |
status: | Confirmed → Fix Released |
Changed in sudo (Debian): | |
status: | Confirmed → Fix Released |
tags: | removed: removal-candidate |
no longer affects: | sudo (Ubuntu Precise) |
no longer affects: | sudo (Ubuntu Oneiric) |
no longer affects: | gnutls26 (Ubuntu Karmic) |
no longer affects: | gnutls26 (Ubuntu Lucid) |
no longer affects: | gnutls26 (Ubuntu Maverick) |
no longer affects: | gnutls26 (Ubuntu Natty) |
no longer affects: | gnutls26 (Ubuntu Oneiric) |
no longer affects: | gnutls26 (Ubuntu Precise) |
Changed in libgcrypt11 (Ubuntu Natty): | |
importance: | Undecided → Medium |
status: | Invalid → Won't Fix |
no longer affects: | libnss-ldap (Ubuntu Karmic) |
no longer affects: | libnss-ldap (Ubuntu Lucid) |
no longer affects: | libnss-ldap (Ubuntu Maverick) |
no longer affects: | libnss-ldap (Ubuntu Natty) |
no longer affects: | libnss-ldap (Ubuntu Oneiric) |
no longer affects: | libnss-ldap (Ubuntu Precise) |
no longer affects: | sudo (Ubuntu Karmic) |
no longer affects: | sudo (Ubuntu Lucid) |
no longer affects: | sudo (Ubuntu Maverick) |
no longer affects: | sudo (Ubuntu Natty) |
Changed in libgcrypt11 (Ubuntu): | |
milestone: | lucid-updates → none |
Changed in libgcrypt11 (Debian): | |
status: | Fix Released → Unknown |
Changed in gnutls26 (Debian): | |
importance: | Unknown → Undecided |
status: | Fix Released → New |
affects: | gnutls26 (Debian) → debian |
Changed in debian: | |
assignee: | nobody → Mathew Hodson (mathew-hodson) |
affects: | debian → gnutls26 (Debian) |
Changed in gnutls26 (Debian): | |
assignee: | Mathew Hodson (mathew-hodson) → nobody |
importance: | Undecided → Unknown |
status: | New → Unknown |
Changed in libgcrypt11 (Ubuntu Oneiric): | |
status: | Invalid → Won't Fix |
importance: | Undecided → Medium |
Changed in libgcrypt11 (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in libgcrypt11 (Debian): | |
status: | Unknown → Fix Released |
Changed in gnutls26 (Debian): | |
status: | Unknown → Fix Released |
Changed in libgcrypt11 (Ubuntu Maverick): | |
milestone: | maverick-updates → none |
tags: | added: lucid precise |
Changed in libgcrypt11 (Debian): | |
status: | Fix Released → Unknown |
affects: | gnutls26 (Debian) → ubuntu-translations |
Changed in ubuntu-translations: | |
importance: | Unknown → Undecided |
status: | Fix Released → New |
no longer affects: | ubuntu-translations |
affects: | libnss-ldap (Debian) → ubuntu-translations |
Changed in ubuntu-translations: | |
importance: | Unknown → Undecided |
status: | Fix Released → New |
no longer affects: | ubuntu-translations |
affects: | sudo (Debian) → ubuntu-translations |
Changed in ubuntu-translations: | |
importance: | Unknown → Undecided |
status: | Fix Released → New |
no longer affects: | ubuntu-translations |
Changed in libgcrypt11 (Debian): | |
status: | Unknown → Fix Released |
Bug still present on Karmic alpha 5.