libnss_ldap.conf is not world-readable

Bug #94775 reported by Sergey V. Udaltsov
Affects Status Importance Assigned to Milestone
libnss-ldap (Ubuntu)

Bug Description

Binary package hint: libnss-ldap

I use ldap authentication. In order to check whether gnome-settings-daemon is allowed to access some system dbus services, dbus-daemon is trying to find out the details of the corresponding user. Since dbus-daemon runs as messagebus user (not root), it cannot read libnss_ldap.conf and fails the entire authentication process.

In my system, libnss_ldap.conf has permissions 600 while it should 644 (and it actually fixes failure at g-s-d startup).

Changed in libnss-ldap:
assignee: nobody → gepatino
status: Unconfirmed → Needs Info
Revision history for this message
Gabriel Patiño (gepatino) wrote :

I have a fresh edgy install and libnss_ldap.conf has permissions 644.

What version of ubuntu are you using?

If the file has permissions 600 and you run dpkg-reconfigure libnss-ldap, are permissions set to 644?

Revision history for this message
Sergey V. Udaltsov (sergey-udaltsov) wrote :

I have feisty, upgraded from edgy. I will try to rerun dpkg-reconfigure tonight and report.

Revision history for this message
Sergey V. Udaltsov (sergey-udaltsov) wrote :

From dpkg-reconfigure:
If you use passwords in your libnss-ldap configuration, it is usually a good idea to have the configuration set with mode 0600 (readable and writable only by the file's owner).

Note: As a sanity check, libnss-ldap will check if you have nscd installed and will only set the mode to 0600 if nscd is present.

Make the configuration file readable/writeable by its owner only?

So there is an option here to make it 600 or 644 - I do not really know what is the default value. Anyway, I think this bug can be closed - users have ability to make it 644 using dpkg-reconfigure (with some reasonable explanation). But before closing it - could you please make sure that default value is 644 so other people would not send you similar complains.

Thanks a lot for the help.

Changed in libnss-ldap:
assignee: gepatino → nobody
status: Needs Info → Unconfirmed
Revision history for this message
Adam Niedling (krychek) wrote :

Feisty is not supported anymore. Please reopen this report if this is still an issue in a later version of Ubuntu.

Changed in libnss-ldap:
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.