libnss_ldap.conf is not world-readable

Bug #94775 reported by Sergey V. Udaltsov
Affects Status Importance Assigned to Milestone
libnss-ldap (Ubuntu)

Bug Description

Binary package hint: libnss-ldap

I use ldap authentication. In order to check whether gnome-settings-daemon is allowed to access some system dbus services, dbus-daemon is trying to find out the details of the corresponding user. Since dbus-daemon runs as messagebus user (not root), it cannot read libnss_ldap.conf and fails the entire authentication process.

In my system, libnss_ldap.conf has permissions 600 while it should 644 (and it actually fixes failure at g-s-d startup).

Changed in libnss-ldap:
assignee: nobody → gepatino
status: Unconfirmed → Needs Info
Revision history for this message
Gabriel Patiño (gepatino) wrote :

I have a fresh edgy install and libnss_ldap.conf has permissions 644.

What version of ubuntu are you using?

If the file has permissions 600 and you run dpkg-reconfigure libnss-ldap, are permissions set to 644?

Revision history for this message
Sergey V. Udaltsov (sergey-udaltsov) wrote :

I have feisty, upgraded from edgy. I will try to rerun dpkg-reconfigure tonight and report.

Revision history for this message
Sergey V. Udaltsov (sergey-udaltsov) wrote :

From dpkg-reconfigure:
If you use passwords in your libnss-ldap configuration, it is usually a good idea to have the configuration set with mode 0600 (readable and writable only by the file's owner).

Note: As a sanity check, libnss-ldap will check if you have nscd installed and will only set the mode to 0600 if nscd is present.

Make the configuration file readable/writeable by its owner only?

So there is an option here to make it 600 or 644 - I do not really know what is the default value. Anyway, I think this bug can be closed - users have ability to make it 644 using dpkg-reconfigure (with some reasonable explanation). But before closing it - could you please make sure that default value is 644 so other people would not send you similar complains.

Thanks a lot for the help.

Changed in libnss-ldap:
assignee: gepatino → nobody
status: Needs Info → Unconfirmed
Revision history for this message
Adam Niedling (krychek) wrote :

Feisty is not supported anymore. Please reopen this report if this is still an issue in a later version of Ubuntu.

Changed in libnss-ldap:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers