Package: libc6 Version: 2.3.2-8 Severity: normal Several time ago, what I was migrating my systems to LDAP, I noticed some nss-related trouble (e.g. finger was unable to show information about LDAP users, although /etc/nsswitch was set correctly, and other tools worked). I even reported several bugs on such issues.
Some experiments have shown the problem was that /etc/libnss-ldap.conf was not world readable. I made it 644, and the problems disappeared. So I closed all bug reports on issue, saying it was local misconfiguration. However, 644 is not appropriate permissions for /etc/libnss-ldap.conf. With such permissions, user password hashes may be read from LDAP by anyone. It's equivalent of world-readable /etc/shadow. Saying nothing about /etc/libnss-ldap.conf may contain LDAP bind password on some setups ... I guess that the correct permissions for /etc/libnss-ldap.conf is 600. And it is nscd (that runs as root) that should do binds to LDAP. And in fact is happens in that way - as soon as many apps do work correctly with 600 permissions on /etc/libnss-ldap.conf But e.g. finger does cause scenario where interaction between nscd and libc6 is invalid. Example: [EMAIL PROTECTED]:~> finger test Login: test Name: test Directory: /home/test Shell: /bin/bash Last login Wed Oct 15 17:45 (MSD) on tty3 Mail last read Tue Sep 23 19:28 2003 (MSD) No Plan. [EMAIL PROTECTED]:~> sudo chmod 600 /etc/libnss-ldap.conf [EMAIL PROTECTED]:~> finger test finger: test: no such user. [EMAIL PROTECTED]:~> sudo chmod 644 /etc/libnss-ldap.conf [EMAIL PROTECTED]:~> finger test Login: test Name: test Directory: /home/test Shell: /bin/bash Last login Wed Oct 15 17:45 (MSD) on tty3 Mail last read Tue Sep 23 19:28 2003 (MSD) No Plan. [EMAIL PROTECTED]:~> ps aux | grep nscd root 13538 0.0 0.2 37372 6144 ? S Oct13 1:29 /usr/sbin/nscd root 13539 0.0 0.2 37372 6144 ? S Oct13 0:03 /usr/sbin/nscd root 13540 0.0 0.2 37372 6144 ? S Oct13 1:26 /usr/sbin/nscd root 13541 0.0 0.2 37372 6144 ? S Oct13 1:04 /usr/sbin/nscd root 13542 0.0 0.2 37372 6144 ? S Oct13 1:05 /usr/sbin/nscd root 13543 0.0 0.2 37372 6144 ? S Oct13 1:07 /usr/sbin/nscd root 13544 0.0 0.2 37372 6144 ? S Oct13 1:05 /usr/sbin/nscd nikita 3713 0.0 0.0 2876 732 pts/15 S 18:01 0:00 grep nscd -- System Information: Debian Release: 3.0 Architecture: i386 Kernel: Linux zigzag 2.4.22-smp #1 SMP Птн Сен 12 18:01:54 MSD 2003 i686 Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R Versions of packages libc6 depends on: ii libdb1-compat 2.1.3-7 The Berkeley database routines [gl -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
