LDAP account via SSL cannot use setuid binaries until gnutls26 is rebuilt with nettle not libgcrypt11
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gnutls26 (Debian) |
New
|
Unknown
|
|||
gnutls26 (Ubuntu) |
Confirmed
|
High
|
Unassigned | ||
Bug Description
== Regression details ==
Discovered in version: 2.12.14-5ubuntu2 (Ubuntu 12.04 LTS)
Last known good version: 2.10.5-1ubuntu3 (Ubuntu 11.10)
Note that a work-around was required by libgnutls26 2.10.5-1ubuntu3 and
that work-around started to be required by an earlier version and stopped
helping when 2.12.14-5ubuntu2 is used.
If your account is an LDAP one and your LDAP client connects to its LDAP server via SSL then running setuid programs from your account fail since libgcrypt11 is horribly broken and upstream GnuTLS no longer recommends using it as the backend crypto library:
http://
In the past it was possible to work around this by using nscd but that work around no longer has any effect.
When I rebuild gnutls26 with nettle I am able to use setuid binaries from my LDAP account which connects via SSL to its LDAP server.
Reproducing:
1. Install an OpenLDAP server that speaks LDAP over SSL, see
https:/
for details.
2. Install Ubuntu 12.04 and configure it to be an LDAP client that connects via to its LDAP server via SSL.
3. Log into the Ubuntu 12.04 created in step using an LDAP account not an account in /etc/passwd.
4. Attempt to use sudo. You will see unexpected results:
nutz@dubnium:~$ sudo id
[sudo] password for nutz:
sudo: setresuid(ROOT_UID, ROOT_UID, ROOT_UID): Operation not permitted
sudo: unable to open /var/lib/
sudo: unable to set gid to runas gid 0: Operation not permitted
sudo: unable to execute /usr/bin/id: Operation not permitted
nutz@dubnium:~$
5. Apply patched version of gnutls26, see attached branch.
6. Attempt to use sudo. You will see expected results:
nutz@dubnium:~$ sudo id
[sudo] password for nutz:
uid=0(root) gid=0(root) groups=0(root)
ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: libgnutls26 2.12.14-5ubuntu2
ProcVersionSign
Uname: Linux 3.2.0-12-generic i686
ApportVersion: 1.91-0ubuntu1
Architecture: i386
Date: Fri Feb 3 16:22:47 2012
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release i386 (20111011)
ProcEnviron:
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: gnutls26
UpgradeStatus: No upgrade log present (probably fresh install)
Related branches
- Colin Watson: Needs Information
-
Diff: 48 lines (+9/-3)3 files modifieddebian/changelog (+6/-0)
debian/control (+2/-2)
debian/rules (+1/-1)
Changed in gnutls26 (Debian): | |
status: | Unknown → New |
description: | updated |
description: | updated |
information type: | Public → Public Security |
information type: | Public Security → Public |
Status changed to 'Confirmed' because the bug affects multiple users.