subject:"\[Bug 423252\] Re\: NSS using LDAP on Karmic breaks 'su' and 'sudo'"

The workarounds available AFAIK is:
- install nscd
- or replace libnss-ldap with libnss-ldapd (and nslcd)

Both workarounds worked for me on karmic.

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

2010-04-27 Thread Hark

Rune: The first solution (nscd) is not waterproof as nscd tends to crash
quite often (and thus revoking your ability to do su or sudo as ldap
user)

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Re: [Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

2010-04-27 Thread muzzol

2010/4/27 Hark ubu...@komkommerkom.com:
 Rune: The first solution (nscd) is not waterproof as nscd tends to crash
 quite often (and thus revoking your ability to do su or sudo as ldap
 user)


i use a combination of LDAP + NSCD + cached credentials (ccreds) and i
can do su or sudo without problems.


-- 

 ^ ^
 O O
(_ _)
muzzol(a)muzzol.com

jabber id: muzzol(a)jabber.dk

No atribueixis qualitats humanes als ordinadors.
No els hi agrada.

El gobierno español sólo habla con terroristas, homosexuales y
catalanes, a ver cuando se decide a hablar con gente normal
Jiménez Losantos

echelon spamming
bomb terrorism bush aznar teletubbies
/echelon spamming

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

I read all of the diffs between 1.4.1 and 1.4.4 but didn't find any
likely suspects. However, tracing the library initialization in gdb, I
found the specific problem.

Ordinarily gnutls will initialize the gcrypt library, if no app has done
so already. In the gnutls initialization, it specifically turns gcrypt's
secure malloc off, and everything works fine.

However, in my trace on Lucid, libnss-ldap is linked to libldap_r, not
libldap. And because libldap_r has to support threads, it is required to
initialize libgcrypt's thread callbacks, and it must do this before
doing anything else with libgcrypt or gnutls.

http://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html#Multi_002dThreading

The problem with that is, once we do this thread initialization,
libgcrypt considers itself fully initialized. When we next call gnutls's
init function, it checks to see if gcrypt is init'd or not, sees that it
is, and skips any further init'ing. So the secure malloc stuff remains
enabled.

I guess in this case we could do the initialization that gnutls skips,
but that's rather ugly, libldap shouldn't have to know or duplicate the
initialization steps inside gnutls_global_init(). Alternatively,
libgcrypt could be changed to not call its global_init() right after
setting the thread callbacks, since it's obvious that the caller still
has other initialization calls that it needs to make. (Frankly I think
this is the correct option.)

Finally, gnutls_global_init() could be changed to check for
initialization_finished, instead of initialization_started. (i.e., check
for GCRYCTL_INITIALIZATION_FINISHED_P, instead of
GCRYCTL_ANY_INITIALIZATION_P). But this latter is pretty dicey, gnutls
really has no way to know if it should be meddling in a half-initialized
libgcrypt or not.

I'm trying really hard not to say I told you so again, but I just
can't stop myself.

--
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

Probably the best fix: don't call global_init when setting the thread
callbacks.

** Attachment added: potential libgcrypt fix
   http://launchpadlibrarian.net/45701569/dif1.txt

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

There is always the chance of something crashing, no matter how you fix this 
problem!
Of course having a sudoable (or root) account in the local passwd database 
would remove a lot of the uncertainty that comes from relying on network for 
resolving users.

Several has commented that nscd is unstable. However, I see no launchpad bug 
documenting this.
I have had no problems with nscd and it seems muzzol hasn't either.
Also, I have had no problems with libnss-ldapd.

So both are possible workarounds.
The suggested release note from mathias gug doesn't really provide an 
acceptable workaround as it essentially disables the use of ldap for resolving 
users.

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

Potential gnutls fix: do gcrypt initialization as long it isn't already
finished. probably a bad idea.

** Attachment added: potential gnutls fix
   http://launchpadlibrarian.net/45701794/dif2.txt

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

Rune: just google for nscd problems, it has a long history of stability
issues. But on top of the issues caused by poor implementation, it also
has problems due to an inherently inadequate design. Some of these
issues are outlined in my LDAPCon presentation linked above. All of this
is well documented, I don't think it bears repeating in this already-
too-long bug report. (Just bringing this report up on my Seamonkey
browser drags the browser to its knees.)

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

2010-04-27 Thread Andreas Sandberg

Mathias: IIRC, the compat workaround only works if you have all users in
the local passwd database. You still won't be able to use sudo, or run
any other setuid binary that uses nss-services, for users that don't
exist in the local passwd database.

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

The workarounds available AFAIK is:
- install nscd
- or replace libnss-ldap with libnss-ldapd (and nslcd)

Both workarounds worked for me on karmic.

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

2010-04-27 Thread Hark

Rune: The first solution (nscd) is not waterproof as nscd tends to crash
quite often (and thus revoking your ability to do su or sudo as ldap
user)

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

2010-04-27 Thread muzzol

2010/4/27 Hark ubu...@komkommerkom.com:
 Rune: The first solution (nscd) is not waterproof as nscd tends to crash
 quite often (and thus revoking your ability to do su or sudo as ldap
 user)


i use a combination of LDAP + NSCD + cached credentials (ccreds) and i
can do su or sudo without problems.


-- 

 ^ ^
 O O
(_ _)
muzzol(a)muzzol.com

jabber id: muzzol(a)jabber.dk

No atribueixis qualitats humanes als ordinadors.
No els hi agrada.

El gobierno español sólo habla con terroristas, homosexuales y
catalanes, a ver cuando se decide a hablar con gente normal
Jiménez Losantos

echelon spamming
bomb terrorism bush aznar teletubbies
/echelon spamming

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

I read all of the diffs between 1.4.1 and 1.4.4 but didn't find any
likely suspects. However, tracing the library initialization in gdb, I
found the specific problem.

Ordinarily gnutls will initialize the gcrypt library, if no app has done
so already. In the gnutls initialization, it specifically turns gcrypt's
secure malloc off, and everything works fine.

http://www.gnupg.org/documentation/manuals/gcrypt/Multi_002dThreading.html#Multi_002dThreading

I'm trying really hard not to say I told you so again, but I just
can't stop myself.

--
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

Probably the best fix: don't call global_init when setting the thread
callbacks.

** Attachment added: potential libgcrypt fix
   http://launchpadlibrarian.net/45701569/dif1.txt

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

There is always the chance of something crashing, no matter how you fix this 
problem!
Of course having a sudoable (or root) account in the local passwd database 
would remove a lot of the uncertainty that comes from relying on network for 
resolving users.

Several has commented that nscd is unstable. However, I see no launchpad bug 
documenting this.
I have had no problems with nscd and it seems muzzol hasn't either.
Also, I have had no problems with libnss-ldapd.

So both are possible workarounds.
The suggested release note from mathias gug doesn't really provide an 
acceptable workaround as it essentially disables the use of ldap for resolving 
users.

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

Potential gnutls fix: do gcrypt initialization as long it isn't already
finished. probably a bad idea.

** Attachment added: potential gnutls fix
   http://launchpadlibrarian.net/45701794/dif2.txt

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

Rune: just google for nscd problems, it has a long history of stability
issues. But on top of the issues caused by poor implementation, it also
has problems due to an inherently inadequate design. Some of these
issues are outlined in my LDAPCon presentation linked above. All of this
is well documented, I don't think it bears repeating in this already-
too-long bug report. (Just bringing this report up on my Seamonkey
browser drags the browser to its knees.)

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

Updating statuses based on Howard feedback in comment 62.

** Changed in: eglibc (Ubuntu Karmic)
   Status: New = Invalid

** Changed in: eglibc (Ubuntu Lucid)
   Status: New = Invalid

** Changed in: libnss-ldap (Ubuntu Karmic)
   Status: New = Invalid

** Changed in: libnss-ldap (Ubuntu Lucid)
   Status: New = Invalid

** Changed in: sudo (Ubuntu Karmic)
   Status: New = Invalid

** Changed in: sudo (Ubuntu Lucid)
   Status: New = Invalid

** Changed in: libgcrypt11 (Ubuntu Karmic)
   Importance: Undecided = Medium

** Changed in: libgcrypt11 (Ubuntu Karmic)
   Status: New = Triaged

** Changed in: libgcrypt11 (Ubuntu Lucid)
   Importance: Undecided = Medium

** Changed in: libgcrypt11 (Ubuntu Lucid)
   Status: New = Triaged

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

Lucid release note:

Upgrading systems configured to use ldap via ssl as the first service in
the nss stack (in nsswitch.conf) leads to a broken nss resolution
afterwards (for example sudo would stop working). A workaround is to
configure ldap to be used after the compat service in nsswitch.conf
before the upgrade is started.

** Also affects: ubuntu-release-notes
   Importance: Undecided
   Status: New

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

According to the reporter this configuration used to work in jaunty.
libgrypt11 version is 1.4.1-2ubuntu1. It seems that something
changed/broke between 1.4.1 and 1.4.4.

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

Updating statuses based on Howard feedback in comment 62.

** Changed in: eglibc (Ubuntu Karmic)
   Status: New = Invalid

** Changed in: eglibc (Ubuntu Lucid)
   Status: New = Invalid

** Changed in: libnss-ldap (Ubuntu Karmic)
   Status: New = Invalid

** Changed in: libnss-ldap (Ubuntu Lucid)
   Status: New = Invalid

** Changed in: sudo (Ubuntu Karmic)
   Status: New = Invalid

** Changed in: sudo (Ubuntu Lucid)
   Status: New = Invalid

** Changed in: libgcrypt11 (Ubuntu Karmic)
   Importance: Undecided = Medium

** Changed in: libgcrypt11 (Ubuntu Karmic)
   Status: New = Triaged

** Changed in: libgcrypt11 (Ubuntu Lucid)
   Importance: Undecided = Medium

** Changed in: libgcrypt11 (Ubuntu Lucid)
   Status: New = Triaged

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

Lucid release note:

Upgrading systems configured to use ldap via ssl as the first service in
the nss stack (in nsswitch.conf) leads to a broken nss resolution
afterwards (for example sudo would stop working). A workaround is to
configure ldap to be used after the compat service in nsswitch.conf
before the upgrade is started.

** Also affects: ubuntu-release-notes
   Importance: Undecided
   Status: New

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

According to the reporter this configuration used to work in jaunty.
libgrypt11 version is 1.4.1-2ubuntu1. It seems that something
changed/broke between 1.4.1 and 1.4.4.

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

2010-04-22 Thread Lionel Porcheron

If I can try to summarize the situation on this bug:
- This is a regression from hardy. This use to work on hardy.
- We document using tls for LDAP authentication in the server guide

The most annoying point IMHO, is that someone who has root access to his
server with a LDAP account with sudo, will not be able to get root
access after upgrading. If we are not able to fix this before release
(which is highly probable considering where we are in the release
cycle), I think it worth some words in the release notes.

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

2010-04-22 Thread Lionel Porcheron

If I can try to summarize the situation on this bug:
- This is a regression from hardy. This use to work on hardy.
- We document using tls for LDAP authentication in the server guide

The most annoying point IMHO, is that someone who has root access to his
server with a LDAP account with sudo, will not be able to get root
access after upgrading. If we are not able to fix this before release
(which is highly probable considering where we are in the release
cycle), I think it worth some words in the release notes.

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

2010-04-21 Thread Thierry Carrez

mathias, could you clarify if there is anything we can do here pre-Lucid
release ?

** Changed in: sudo (Ubuntu Lucid)
 Assignee: (unassigned) = Mathias Gug (mathiaz)

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

2010-04-21 Thread Thierry Carrez

mathias, could you clarify if there is anything we can do here pre-Lucid
release ?

** Changed in: sudo (Ubuntu Lucid)
 Assignee: (unassigned) = Mathias Gug (mathiaz)

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

I'd be happy to write a patch for the documentation. And given all of
the problems with the design (and implementation) of libnss-ldap, I'd
say any analysis will show that libnss-ldapd is still the path of lowest
risk and greatest stability. (In particular, when used with OpenLDAP
nssov.)

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

2010-04-17 Thread Philipp Kaluza

Howard, I have longingly looked at libnss-ldapd for almost 4 years now, and 
absolutely agree it has a better architecture, cleaner code etc., and is a 
sensible long-term migration path. (The other possibly being sssd.)
  But multiple test migrations in my LDAP deployments always turned up some 
show-stopper problem or another. The last of these happend 3-4 months ago with 
ubuntu workstations, running an up-to-date karmic client-side (actually 
triggered by trying to work around exactly this bug).
  If the server team decides they want to try migrating for lucid, i'd be the 
first to offer help testing. But I sure don't see this happening before lucid+1.

Disclaimer: haven't tried the caching slapd with nssov yet, only nslcd,
because i need at least an incremental migration path.

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

Right, given the timing for the Lucid release it's probably way too
late. I can't comment on your experience with nslcd as I have never used
its code or read it in depth. The stub library and nssov have been
pretty well tested internally in Symas; since the stub library is almost
entirely cookie-cutter code it's known to be bug-free. At the risk of
sounding like a commercial, I should note that Symas is offering
standalone packages for free evaluation (our SUUMv4 product, based on
nssov). A number of our customers have migrated successfully, it's an
easy transition.

In the meantime, for this bug, it looks like gcrypt uses its internal
secure malloc function if the app didn't set any overrides. I'm not sure
that making libldap override the secure malloc is a good idea, since
some apps may still want that secure malloc behavior. And any app that
explicitly uses gnutls or libgcrypt may get its preference silently
overridden by libldap, or vice versa.

Again, the only safe way to address this bug is by taking
libldap/nss_ldap out of the application's address space.

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

Looking at the gcrypt code, it seems this bug should be reported against
that; this whole secmem implementation (1) requires a program to be
started as root (setuid) and (2) always drops the root priv when it has
initialized its secure memory. These behaviors would certainly interfere
with any setuid programs normal behavior. Seems like a design flaw in
libgcrypt, as the docs http://www.gnupg.org/documentation/manuals/gcrypt
/Initializing-the-library.html#Initializing-the-library state that the
application is responsible for controlling this behavior. Apps that are
unaware that they are using gcrypt (because it came in implicitly
through gnutls, thru libldap, thru nss) are SOL.

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

2010-04-17 Thread Andreas Sandberg

Howard: I really agree that the libnss-ldapd design is much cleaner and
a better alternative in the long run (e.g., doing client certificates
with libnss-ldap would be interesting). However, the documented way
[1] of using ldap for authentication uses libnss-ldap, so this should be
supported or the documentation needs to be changed. Besides, I think a
lot of organizations would be hesitant to migrate to libnss-ldapd.

https://help.ubuntu.com/9.10/serverguide/C/openldap-server.html

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

I'd be happy to write a patch for the documentation. And given all of
the problems with the design (and implementation) of libnss-ldap, I'd
say any analysis will show that libnss-ldapd is still the path of lowest
risk and greatest stability. (In particular, when used with OpenLDAP
nssov.)

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

2010-04-17 Thread Philipp Kaluza

Howard, I have longingly looked at libnss-ldapd for almost 4 years now, and 
absolutely agree it has a better architecture, cleaner code etc., and is a 
sensible long-term migration path. (The other possibly being sssd.)
  But multiple test migrations in my LDAP deployments always turned up some 
show-stopper problem or another. The last of these happend 3-4 months ago with 
ubuntu workstations, running an up-to-date karmic client-side (actually 
triggered by trying to work around exactly this bug).
  If the server team decides they want to try migrating for lucid, i'd be the 
first to offer help testing. But I sure don't see this happening before lucid+1.

Disclaimer: haven't tried the caching slapd with nssov yet, only nslcd,
because i need at least an incremental migration path.

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

Right, given the timing for the Lucid release it's probably way too
late. I can't comment on your experience with nslcd as I have never used
its code or read it in depth. The stub library and nssov have been
pretty well tested internally in Symas; since the stub library is almost
entirely cookie-cutter code it's known to be bug-free. At the risk of
sounding like a commercial, I should note that Symas is offering
standalone packages for free evaluation (our SUUMv4 product, based on
nssov). A number of our customers have migrated successfully, it's an
easy transition.

In the meantime, for this bug, it looks like gcrypt uses its internal
secure malloc function if the app didn't set any overrides. I'm not sure
that making libldap override the secure malloc is a good idea, since
some apps may still want that secure malloc behavior. And any app that
explicitly uses gnutls or libgcrypt may get its preference silently
overridden by libldap, or vice versa.

Again, the only safe way to address this bug is by taking
libldap/nss_ldap out of the application's address space.

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

Looking at the gcrypt code, it seems this bug should be reported against
that; this whole secmem implementation (1) requires a program to be
started as root (setuid) and (2) always drops the root priv when it has
initialized its secure memory. These behaviors would certainly interfere
with any setuid programs normal behavior. Seems like a design flaw in
libgcrypt, as the docs http://www.gnupg.org/documentation/manuals/gcrypt
/Initializing-the-library.html#Initializing-the-library state that the
application is responsible for controlling this behavior. Apps that are
unaware that they are using gcrypt (because it came in implicitly
through gnutls, thru libldap, thru nss) are SOL.

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

I managed to get a core-dump from a test program (a nice little hack
that debugs the test application and core dumps it when it executes the
setuid syscall) that reproduces the bug. The following stack trace might
be of interest:

#0  __nptl_setxid (cmdp=0x7fff1439ad00) at allocatestack.c:1135
#1  0x7f41dda052fb in __setuid (uid=value optimized out) at 
../sysdeps/unix/sysv/linux/setuid.c:26
#2  0x7f41db005124 in lock_pool (n=value optimized out) at secmem.c:296
#3  secmem_init (n=value optimized out) at secmem.c:477
#4  0x7f41db0052da in _gcry_secmem_malloc_internal (size=128) at 
secmem.c:509
#5  0x7f41db005368 in _gcry_secmem_malloc (size=128) at secmem.c:544
#6  0x7f41db00084d in do_malloc (n=1000, flags=1000, mem=0x7fff1439adb8) at 
global.c:730
#7  0x7f41db00087c in _gcry_malloc_secure (n=1000) at global.c:769
#8  0x7f41db0130c0 in md_open (h=0x7fff1439ae28, algo=1, secure=value 
optimized out, hmac=value optimized out) at md.c:487
#9  0x7f41db0131ea in _gcry_md_open (h=0x7fff1439af18, algo=1000, 
flags=value optimized out) at md.c:530
#10 0x7f41dbd03c0f in wrap_gcry_mac_init (algo=value optimized out, 
ctx=0x3e8) at mac-libgcrypt.c:42
#11 0x7f41dbcea127 in _gnutls_hmac_init (dig=0x7fff1439af10, 
algorithm=GNUTLS_MAC_MD5, key=0x10afbc0, keylen=24) at gnutls_hash_int.c:277
#12 0x7f41dbcfad78 in _gnutls_P_hash (algorithm=value optimized out, 
secret=value optimized out, secret_size=value optimized out, seed=value 
optimized out, seed_size=value optimized out, total_bytes=value optimized 
out, ret=0x7fff1439b170 \231\376~, incomplete sequence \316) at 
gnutls_state.c:811
#13 0x7f41dbcfafca in _gnutls_PRF (session=value optimized out, 
secret=value optimized out, secret_size=value optimized out, label=value 
optimized out, label_size=value optimized out, seed=0x7fff1439b570 
K\310\331\346-\364\310*~E%\026\223g\216\323K֜\272^1\270Fn\025\254\307`\235%\rK\310\331\345\267\337\023y\314Tn\262-\277\236S\017\362B\237W\220\017\366H\035\372͟5\204\027\001,
 seed_size=value optimized out, total_bytes=48, ret=0x10b2552) at 
gnutls_state.c:926
#14 0x7f41dbce883f in generate_normal_master (session=0x10b2530, 
keep_premaster=0) at gnutls_kx.c:155
#15 0x7f41dbcf35bb in _gnutls_connection_state_init (session=0x3e8) at 
gnutls_constate.c:434
#16 0x7f41dbce43f8 in _gnutls_send_handshake_final (session=0x10b2530, 
init=1) at gnutls_handshake.c:2472
#17 0x7f41dbce45d5 in _gnutls_handshake_common (session=0x10b2530) at 
gnutls_handshake.c:2700
#18 0x7f41dbce5c67 in gnutls_handshake (session=0x10b2530) at 
gnutls_handshake.c:2297
#19 0x7f41dd3196de in ?? () from /usr/lib/libldap_r-2.4.so.2
#20 0x7f41dd3184a2 in ?? () from /usr/lib/libldap_r-2.4.so.2
#21 0x7f41dd318703 in ldap_int_tls_start () from /usr/lib/libldap_r-2.4.so.2
#22 0x7f41dd5338fc in ?? () from /lib/libnss_ldap.so.2
#23 0x7f41dd533f29 in ?? () from /lib/libnss_ldap.so.2
#24 0x7f41dd534832 in ?? () from /lib/libnss_ldap.so.2
#25 0x7f41dd534bbd in ?? () from /lib/libnss_ldap.so.2
#26 0x7f41dd5352b7 in _nss_ldap_getpwnam_r () from /lib/libnss_ldap.so.2
#27 0x7f41dda0345d in __getpwnam_r (name=0x4017d4 foo, 
resbuf=0x7f41ddcd8ce0, buffer=0x107f010 nslcd, buflen=1024, result=value 
optimized out) at ../nss/getXXbyYY_r.c:253
#28 0x7f41dda02e40 in getpwnam (name=0x4017d4 foo) at 
../nss/getXXbyYY.c:117
#29 0x00401202 in main (argc=1, argv=0x7fff1439c538) at debug.c:175

Stack frame 2 (secmem.c:296 in libgcrypt) is of particular interest. The code 
looks like this (with uid = getuid()):
  if (uid  ! geteuid ())
{
  /* check that we really dropped the privs.
   * Note: setuid(0) should always fail */
  if (setuid (uid) || getuid () != geteuid () || !setuid (0))
log_fatal (failed to reset uid: %s\n, strerror (errno));
}

This is clearly not what we want... :(

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

** Also affects: libgcrypt11 (Ubuntu)
   Importance: Undecided
   Status: New

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

Great find, Andreas. So gnutls is calling gcrypt's secure memory
functions. And yet, the gnutls docs say these functions are not used by
default, and certainly OpenLDAP does not configure gnutls to use them.
Something else in the stack must be setting that behavior.

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

Regardless of what the root cause turns out to be, you guys really need
to switch to libnss-ldapd, which will reliably isolate the user apps
from whatever junk is going on inside libldap / gnutls / whatever. (And
if you're not using the latest version, which also handles pam_ldap,
then you need to update.)

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

2010-04-16 Thread David Tomaschik

Howard, a quick google didn't show much other than package info for
libnss-ldapd.  Do you have any links to documentation that might be of
use?  We're about to do a major ldap rollout for our servers at work and
I want to know as much as I can ahead of time.

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

You can find detailed design docs at its home page
http://arthurdejong.org/nss-pam-ldapd/

You can also find my LDAPCon2009 presentation on the subject here
http://www.symas.com/ldapcon2009/papers/hyc1.shtml

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

I managed to get a core-dump from a test program (a nice little hack
that debugs the test application and core dumps it when it executes the
setuid syscall) that reproduces the bug. The following stack trace might
be of interest:

#0  __nptl_setxid (cmdp=0x7fff1439ad00) at allocatestack.c:1135
#1  0x7f41dda052fb in __setuid (uid=value optimized out) at 
../sysdeps/unix/sysv/linux/setuid.c:26
#2  0x7f41db005124 in lock_pool (n=value optimized out) at secmem.c:296
#3  secmem_init (n=value optimized out) at secmem.c:477
#4  0x7f41db0052da in _gcry_secmem_malloc_internal (size=128) at 
secmem.c:509
#5  0x7f41db005368 in _gcry_secmem_malloc (size=128) at secmem.c:544
#6  0x7f41db00084d in do_malloc (n=1000, flags=1000, mem=0x7fff1439adb8) at 
global.c:730
#7  0x7f41db00087c in _gcry_malloc_secure (n=1000) at global.c:769
#8  0x7f41db0130c0 in md_open (h=0x7fff1439ae28, algo=1, secure=value 
optimized out, hmac=value optimized out) at md.c:487
#9  0x7f41db0131ea in _gcry_md_open (h=0x7fff1439af18, algo=1000, 
flags=value optimized out) at md.c:530
#10 0x7f41dbd03c0f in wrap_gcry_mac_init (algo=value optimized out, 
ctx=0x3e8) at mac-libgcrypt.c:42
#11 0x7f41dbcea127 in _gnutls_hmac_init (dig=0x7fff1439af10, 
algorithm=GNUTLS_MAC_MD5, key=0x10afbc0, keylen=24) at gnutls_hash_int.c:277
#12 0x7f41dbcfad78 in _gnutls_P_hash (algorithm=value optimized out, 
secret=value optimized out, secret_size=value optimized out, seed=value 
optimized out, seed_size=value optimized out, total_bytes=value optimized 
out, ret=0x7fff1439b170 \231\376~, incomplete sequence \316) at 
gnutls_state.c:811
#13 0x7f41dbcfafca in _gnutls_PRF (session=value optimized out, 
secret=value optimized out, secret_size=value optimized out, label=value 
optimized out, label_size=value optimized out, seed=0x7fff1439b570 
K\310\331\346-\364\310*~E%\026\223g\216\323K֜\272^1\270Fn\025\254\307`\235%\rK\310\331\345\267\337\023y\314Tn\262-\277\236S\017\362B\237W\220\017\366H\035\372͟5\204\027\001,
 seed_size=value optimized out, total_bytes=48, ret=0x10b2552) at 
gnutls_state.c:926
#14 0x7f41dbce883f in generate_normal_master (session=0x10b2530, 
keep_premaster=0) at gnutls_kx.c:155
#15 0x7f41dbcf35bb in _gnutls_connection_state_init (session=0x3e8) at 
gnutls_constate.c:434
#16 0x7f41dbce43f8 in _gnutls_send_handshake_final (session=0x10b2530, 
init=1) at gnutls_handshake.c:2472
#17 0x7f41dbce45d5 in _gnutls_handshake_common (session=0x10b2530) at 
gnutls_handshake.c:2700
#18 0x7f41dbce5c67 in gnutls_handshake (session=0x10b2530) at 
gnutls_handshake.c:2297
#19 0x7f41dd3196de in ?? () from /usr/lib/libldap_r-2.4.so.2
#20 0x7f41dd3184a2 in ?? () from /usr/lib/libldap_r-2.4.so.2
#21 0x7f41dd318703 in ldap_int_tls_start () from /usr/lib/libldap_r-2.4.so.2
#22 0x7f41dd5338fc in ?? () from /lib/libnss_ldap.so.2
#23 0x7f41dd533f29 in ?? () from /lib/libnss_ldap.so.2
#24 0x7f41dd534832 in ?? () from /lib/libnss_ldap.so.2
#25 0x7f41dd534bbd in ?? () from /lib/libnss_ldap.so.2
#26 0x7f41dd5352b7 in _nss_ldap_getpwnam_r () from /lib/libnss_ldap.so.2
#27 0x7f41dda0345d in __getpwnam_r (name=0x4017d4 foo, 
resbuf=0x7f41ddcd8ce0, buffer=0x107f010 nslcd, buflen=1024, result=value 
optimized out) at ../nss/getXXbyYY_r.c:253
#28 0x7f41dda02e40 in getpwnam (name=0x4017d4 foo) at 
../nss/getXXbyYY.c:117
#29 0x00401202 in main (argc=1, argv=0x7fff1439c538) at debug.c:175

Stack frame 2 (secmem.c:296 in libgcrypt) is of particular interest. The code 
looks like this (with uid = getuid()):
  if (uid  ! geteuid ())
{
  /* check that we really dropped the privs.
   * Note: setuid(0) should always fail */
  if (setuid (uid) || getuid () != geteuid () || !setuid (0))
log_fatal (failed to reset uid: %s\n, strerror (errno));
}

This is clearly not what we want... :(

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

** Also affects: libgcrypt11 (Ubuntu)
   Importance: Undecided
   Status: New

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

Great find, Andreas. So gnutls is calling gcrypt's secure memory
functions. And yet, the gnutls docs say these functions are not used by
default, and certainly OpenLDAP does not configure gnutls to use them.
Something else in the stack must be setting that behavior.

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

Regardless of what the root cause turns out to be, you guys really need
to switch to libnss-ldapd, which will reliably isolate the user apps
from whatever junk is going on inside libldap / gnutls / whatever. (And
if you're not using the latest version, which also handles pam_ldap,
then you need to update.)

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'

2010-04-16 Thread David Tomaschik

Howard, a quick google didn't show much other than package info for
libnss-ldapd.  Do you have any links to documentation that might be of
use?  We're about to do a major ldap rollout for our servers at work and
I want to know as much as I can ahead of time.

-- 
NSS using LDAP on Karmic breaks 'su' and 'sudo'
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'