Re: [Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Thanks a lot, works like a charm. I wish i could be of any help to you, saved me a lot of time. 2011/10/4 cdmiller cdmil...@adams.edu: Just a follow up to #106. We have been running with the libgcrypt11 patch from #73 with a couple thousand openldap and AD users using Apache2/phpsuexec on Lucid 10.04.2 64 bit for months now with no troubles. -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd Status in Release Notes for Ubuntu: Fix Released Status in “eglibc” package in Ubuntu: Invalid Status in “libgcrypt11” package in Ubuntu: Confirmed Status in “libnss-ldap” package in Ubuntu: Invalid Status in “sudo” package in Ubuntu: Invalid Status in “eglibc” source package in Lucid: Invalid Status in “libgcrypt11” source package in Lucid: Confirmed Status in “libnss-ldap” source package in Lucid: Invalid Status in “sudo” source package in Lucid: Invalid Status in “eglibc” source package in Maverick: Invalid Status in “libgcrypt11” source package in Maverick: Confirmed Status in “libnss-ldap” source package in Maverick: Confirmed Status in “sudo” source package in Maverick: Invalid Status in “eglibc” source package in Karmic: Invalid Status in “libgcrypt11” source package in Karmic: Won't Fix Status in “libnss-ldap” source package in Karmic: Invalid Status in “sudo” source package in Karmic: Invalid Status in “libgcrypt11” package in Debian: Confirmed Status in “sudo” package in Debian: Confirmed Status in “sudo” package in Kairos Linux: Confirmed Bug description: On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd' field to anything with 'ldap' as the first item breaks the ability to become root using 'su' and 'sudo' as anyone but root. Default nsswitch.conf: passwd: compat group: compat shadow: compat matt@box:~$ sudo uname -a [sudo] password for matt: Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux matt@box:~$ su - Password: root@box:~# Modified nsswitch.conf with 'ldap' before 'compat': passwd: ldap compat group: ldap compat shadow: ldap compat matt@box:~$ sudo uname -a sudo: setreuid(ROOT_UID, user_uid): Operation not permitted matt@box:~$ su - Password: setgid: Operation not permitted Modified nsswitch.conf with 'ldap' after 'compat': passwd: compat ldap group: compat ldap shadow: compat ldap matt@box:~$ sudo uname -a [sudo] password for matt: Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux matt@box:~$ su - Password: root@box:~# The same arrangements in nsswitch.conf work as expected in Jaunty and earlier releases. Lucid Release Note: == NSS via LDAP+SSL breaks setuid applications like sudo == Upgrading systems configured to use ldap over ssl as the first service in the nss stack (in nsswitch.conf) leads to a broken nss resolution for setuid applications after the upgrade to Lucid (for example sudo would stop working). There isn't any simple workaround for now. One option is to switch to libnss-ldapd in place of libnss-ldap before the upgrade. Another one consists in using nscd before the upgrade. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Thanks a lot, works like a charm. I wish i could be of any help to you, saved me a lot of time. 2011/10/4 cdmiller cdmil...@adams.edu: Just a follow up to #106. We have been running with the libgcrypt11 patch from #73 with a couple thousand openldap and AD users using Apache2/phpsuexec on Lucid 10.04.2 64 bit for months now with no troubles. -- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd Status in Release Notes for Ubuntu: Fix Released Status in “eglibc” package in Ubuntu: Invalid Status in “libgcrypt11” package in Ubuntu: Confirmed Status in “libnss-ldap” package in Ubuntu: Invalid Status in “sudo” package in Ubuntu: Invalid Status in “eglibc” source package in Lucid: Invalid Status in “libgcrypt11” source package in Lucid: Confirmed Status in “libnss-ldap” source package in Lucid: Invalid Status in “sudo” source package in Lucid: Invalid Status in “eglibc” source package in Maverick: Invalid Status in “libgcrypt11” source package in Maverick: Confirmed Status in “libnss-ldap” source package in Maverick: Confirmed Status in “sudo” source package in Maverick: Invalid Status in “eglibc” source package in Karmic: Invalid Status in “libgcrypt11” source package in Karmic: Won't Fix Status in “libnss-ldap” source package in Karmic: Invalid Status in “sudo” source package in Karmic: Invalid Status in “libgcrypt11” package in Debian: Confirmed Status in “sudo” package in Debian: Confirmed Status in “sudo” package in Kairos Linux: Confirmed Bug description: On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd' field to anything with 'ldap' as the first item breaks the ability to become root using 'su' and 'sudo' as anyone but root. Default nsswitch.conf: passwd: compat group: compat shadow: compat matt@box:~$ sudo uname -a [sudo] password for matt: Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux matt@box:~$ su - Password: root@box:~# Modified nsswitch.conf with 'ldap' before 'compat': passwd: ldap compat group: ldap compat shadow: ldap compat matt@box:~$ sudo uname -a sudo: setreuid(ROOT_UID, user_uid): Operation not permitted matt@box:~$ su - Password: setgid: Operation not permitted Modified nsswitch.conf with 'ldap' after 'compat': passwd: compat ldap group: compat ldap shadow: compat ldap matt@box:~$ sudo uname -a [sudo] password for matt: Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux matt@box:~$ su - Password: root@box:~# The same arrangements in nsswitch.conf work as expected in Jaunty and earlier releases. Lucid Release Note: == NSS via LDAP+SSL breaks setuid applications like sudo == Upgrading systems configured to use ldap over ssl as the first service in the nss stack (in nsswitch.conf) leads to a broken nss resolution for setuid applications after the upgrade to Lucid (for example sudo would stop working). There isn't any simple workaround for now. One option is to switch to libnss-ldapd in place of libnss-ldap before the upgrade. Another one consists in using nscd before the upgrade. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
