Public bug reported:
When nslcd drops privileges at startup, it calls setgroups(0, NULL)
rather than the expected initgroups("username", gid). This causes nslcd
not to be able to read files (such as TLS certificates) if they are
owned by one of the supplemental groups specified in the /etc/group
file.
If it matters, nscd works as expected by calling getgrouplist() and then
the appropriate setgroups() with the group list when it drops
privileges.
The debug output from nslcd shows this happening:
nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(112) done
nslcd: DEBUG: setuid(106) done
and it appears to do this intentionally in nslcd.c:
/* drop all supplemental groups */
if (setgroups(0,NULL)<0)
** Affects: nss-pam-ldapd (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1020303
Title:
nslcd drops supplemental groups when dropping privileges
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss-pam-ldapd/+bug/1020303/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
