Ubuntu

LDAP account via SSL cannot use setuid binaries until gnutls26 is rebuilt with nettle not libgcrypt11

Reported by nutznboltz on 2012-02-03
192
This bug affects 34 people
Affects Status Importance Assigned to Milestone
gnutls26 (Debian)
New
Unknown
gnutls26 (Ubuntu)
High
Unassigned
Nominated for Precise by Adam Stokes
Nominated for Quantal by Adam Stokes

Bug Description

== Regression details ==
Discovered in version: 2.12.14-5ubuntu2 (Ubuntu 12.04 LTS)
Last known good version: 2.10.5-1ubuntu3 (Ubuntu 11.10)

Note that a work-around was required by libgnutls26 2.10.5-1ubuntu3 and
that work-around started to be required by an earlier version and stopped
helping when 2.12.14-5ubuntu2 is used.

If your account is an LDAP one and your LDAP client connects to its LDAP server via SSL then running setuid programs from your account fail since libgcrypt11 is horribly broken and upstream GnuTLS no longer recommends using it as the backend crypto library:
http://lists.debian.org/debian-legal/2011/02/msg00006.html

In the past it was possible to work around this by using nscd but that work around no longer has any effect.

When I rebuild gnutls26 with nettle I am able to use setuid binaries from my LDAP account which connects via SSL to its LDAP server.

Reproducing:

1. Install an OpenLDAP server that speaks LDAP over SSL, see
https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html
for details.

2. Install Ubuntu 12.04 and configure it to be an LDAP client that connects via to its LDAP server via SSL.

3. Log into the Ubuntu 12.04 created in step using an LDAP account not an account in /etc/passwd.

4. Attempt to use sudo. You will see unexpected results:

nutz@dubnium:~$ sudo id
[sudo] password for nutz:
sudo: setresuid(ROOT_UID, ROOT_UID, ROOT_UID): Operation not permitted
sudo: unable to open /var/lib/sudo/nutz/1: Operation not permitted
sudo: unable to set gid to runas gid 0: Operation not permitted
sudo: unable to execute /usr/bin/id: Operation not permitted
nutz@dubnium:~$

5. Apply patched version of gnutls26, see attached branch.

6. Attempt to use sudo. You will see expected results:

nutz@dubnium:~$ sudo id
[sudo] password for nutz:
uid=0(root) gid=0(root) groups=0(root)

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: libgnutls26 2.12.14-5ubuntu2
ProcVersionSignature: Ubuntu 3.2.0-12.21-generic 3.2.2
Uname: Linux 3.2.0-12-generic i686
ApportVersion: 1.91-0ubuntu1
Architecture: i386
Date: Fri Feb 3 16:22:47 2012
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release i386 (20111011)
ProcEnviron:
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: gnutls26
UpgradeStatus: No upgrade log present (probably fresh install)

description: updated
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in gnutls26 (Ubuntu):
status: New → Confirmed

PPA with patch for the benefit of other affected people:
https://launchpad.net/~nutznboltz/+archive/gnutls26-with-nettle

description: updated
tags: added: testcase
description: updated
Dave Gilbert (ubuntu-treblig) wrote :

Has a severe impact on a small portion of Ubuntu users (estimated) -> High

Changed in gnutls26 (Ubuntu):
importance: Undecided → High

@ubuntu-treblig I do so appreciate your wisdom.

I tried installing sssd and the error message only prints the first line:

$ sudo id
sudo: setresuid(ROOT_UID, ROOT_UID, ROOT_UID): Operation not permitted

The sssd.conf file is a copy of one that works on CentOS 6.

That was with the libgcrypt11 GnuTLS package (2.12.14-5ubuntu2).

Once I switch back to a GnuTLS with nettle then sssd works, supporting sudo.

Changed in gnutls26 (Debian):
status: Unknown → New

Added regression-release tag based on advice in
https://wiki.ubuntu.com/QATeam/RegressionTracking

tags: added: regression-update
tags: added: regression-release
removed: regression-update
description: updated
description: updated

Let me see if I understand. The reason this bug is not going to be fixed is:

* Only some of the software distributed by Debian and Canonical under the GNU General Public License Version 2 includes a clause that says you can use future versions of that license AND
* Some of the libraries have converted to future versions of that license (e.g. GNU General Public License Version 3.) AND
* In particular gmp-5.0.2+dfsg ("libgmp10") is licensed under LGPLv3 while it is unproven if all of the software that links against it is compatible with that license AND
* There is no automated system for tracking software license dependencies AND
* Such a system is not available due to lack of reliably-machine-readable software license data AND
* A project known as DEP-5 ( http://dep.debian.net/deps/dep5/ ) exists to provide (develop) reliably-machine-readable software license data AND
* If DEP-5 were completed all it would provide is detailed knowledge about software license interactions so that the areas which need work could be identified.

Please correct me if any of the above in this comment is not correct. Thank you.

Dave Gilbert (ubuntu-treblig) wrote :

nutznbolts: Where do you see something saying 'this bug is not going to be fixed?'

ubuntu-treblig: go to https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/926350
and search for: Colin Watson: Needs Information on 2012-02-11
then explain just how that information will be provided.

ubuntu-treblig: when you can answer my question then I will be able to answer yours.

Dave Gilbert (ubuntu-treblig) wrote :

nutznboltz: OK, that question is best answered by Colin, you might want to add your question to the comment field on the review. (I don't know the answer)

I'm beginning to suspect that the best answer is to not ask any more questions.

Dave Gilbert (ubuntu-treblig) wrote :

nutznbolts: Please keep asking questions; but please be nice about it - I'm just triaging this bug, I've not worked on this package and don't know the answers - and there are lots and lots of important bugs in the database.
License problems are always a bit hairy, and Colin is right to ask that question.

DEP-5: Patches pushed to the Debian Policy repository
http://lists.debian.org/debian-policy/2012/02/msg00078.html

The DEP-5 specification v1.0 was released on Monday February 22, 2012 as part of debian-policy_3.9.3.0_all.deb

Ken Bowley (kbowley) wrote :

Is anything being done about this bug? This is a serious bug that would stop 12.04 from being used in many enterprise deployments. In our environment, we have mixed Mac and Linux workstations, and many Linux (CentOS, Debian, and Ubuntu) servers. We use LDAP for authentication, and the only way to administer the Ubuntu 12.04 systems is to enable root logins and ssh in directly as root.

Hi all,

this bug has been brought to my attention by my boss today.
If I understand the situation correctly, the problem is:

• OpenLDAP links against GnuTLS (gnutls26)
• gnutls26 links against gcrypt, which has the bug
• gnutls28 links against nettle, but also gmp which is LGPLv3+
• OpenLDAP thus can’t link against gnutls28, as it has reverse
  dependencies that are not LGPLv3-/GPLv3-compatible
• the package affected is libnss-ldap though

For some reason, neither nscd nor unscd seem to be able to
work around this bug, so it has become rather critical (e.g.
for use in company networks).

Why not do a readline and provide *two* versions of the
OpenLDAP client libraries, keep libldap-2.4-2 linked
against gnutls26 and add another shared library plus
development package (with at least the two shared library
packages coïnstallable) to link against gnutls28 and build
these BOTH from the SAME source package at the SAME time,
so an upload of OpenLDAP will not need another package to
be (re-)built to stay in sync.

Did anyone think of it already and will shoot this idea
down immediately? Or could it work?

bye,
//mirabilos • <email address hidden>
--
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Elmar Geese

Sonic (sonic4) wrote :

A quick workaround that solved my problem with this:

First install libnss-ldap
Configure ldap stuff, test if you can login but can't use setuid apps.
Then install nslcd and configure.

After these steps my system is working, and allowing me to login with ldap account and use sudo.

This bug is pretty serious, any enterprise who has more than one linux box, is using ldap to authenticate.
And this is a show stopper......

This should be fixed ASAP.

here is the process which i followed to fix the issue

In case if someone else has an issue with sudo access with 12.04. They need to reinstall the gnutls library with nettle not with lingcrypt. As the libgcrypt library is broken. Here is the process

# apt-get source gnutls26

remove --with-libgcrypt from the debian/rules file. build using this command

# debuild -i -uc -us -b

install using

# make install

That's it.

PaulW (paulw) wrote :

I can confirm comment #22 resolved this for me on 12.04, but I had to pull in the following dependencies to build successfully.

# apt-get install devscripts libgcrypt11-dev zlib1g-dev cdbs gtk-doc-tools texinfo libtasn1-3-dev autotools-dev datefudge libp11-kit-dev pkg-config chrpath

PaulW (paulw) wrote :

Also, forgot to include...

# apt-get install nettle-dev libnettle4

I confirm that coments #22, 23 and 24 fixed the problem.

information type: Public → Public Security
information type: Public Security → Public
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.