Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users

December 06th, 2010 - 11:20 am ET by David Adam | Report spam
This bit us on trial upgrades to Squeeze, and as this has not yet been
fixed I would strongly recommend a section in the release notes on
"Possible issues during upgrade" or "Issues to be aware of for squeeze",
perhaps along the following lines:

"libnss-ldap and libpam-ldap: updates to the cryptography libraries mean
that any programs which attempt to change their effective privileges,
including sudo(8), may fail when libnss-ldap is configured to use an LDAP
server using TLS or SSL.

To work around this problem, you can replace libnss-ldap with
libnss-ldapd, a newer library which uses separate daemon (nslcd) for all
LDAP lookups. The replacement for libpam-ldap is libpam-ldapd.

Note that libnss-ldapd recommends the NSS caching daemon, nscd, which you
should evaluate for suitability in your environment before installing.

Further information is available in bugs #566351 and #545414."

David Adam
UCC Wheel Member
zanchey@ucc.gu.uwa.edu.au



To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
email Follow the discussionReplies 6 repliesReplies Make a reply

Similar topics

Replies

#1 Dan White
December 09th, 2010 - 05:40 pm ET | Report spam
On 09/12/10 22:37 +0100, Arthur de Jong wrote:
On Mon, 2010-12-06 at 23:59 +0800, David Adam wrote:
This bit us on trial upgrades to Squeeze, and as this has not yet been
fixed I would strongly recommend a section in the release notes on
"Possible issues during upgrade" or "Issues to be aware of for squeeze",
perhaps along the following lines:



Attached is a patch for the release notes on this. I've used David's
text as a basis.

I've been thinking about encouraging more users to switch to
libnss-ldapd. It solves quite a few of the problems in libnss-ldap and
is also better maintained. However, since I'm both the Debian maintainer
and upstream I'm a bit biased.



I'll offer an unbiased +1 for libnss-ldapd.

Dan White



To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Replies Reply to this message
#2 David Adam
December 09th, 2010 - 10:50 pm ET | Report spam
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.


On Thu, 9 Dec 2010, Dan White wrote:
On 09/12/10 22:37 +0100, Arthur de Jong wrote:
> On Mon, 2010-12-06 at 23:59 +0800, David Adam wrote:
> > This bit us on trial upgrades to Squeeze, and as this has not yet been
> > fixed I would strongly recommend a section in the release notes on
> > "Possible issues during upgrade" or "Issues to be aware of for squeeze",
> > perhaps along the following lines:
>
> Attached is a patch for the release notes on this. I've used David's
> text as a basis.
>
> I've been thinking about encouraging more users to switch to
> libnss-ldapd. It solves quite a few of the problems in libnss-ldap and
> is also better maintained. However, since I'm both the Debian maintainer
> and upstream I'm a bit biased.

I'll offer an unbiased +1 for libnss-ldapd.



Having thought about this a bit more, I'm nominating this for RC status.
This bug potentially locks administrators out of their own systems if they
upgrade and then close their root session or reboot without any way of
logging in as root directly (which many sites consider best practice).

As well as sudo(8) and su(8), it also affects Apache's suexec and atd(8).

libnss-ldapd should be used to replace libnss-ldap on squeeze upgrades. I
am still a touch wary of libnss-ldapd, only in that adding the daemon
introduces an additional point of failure, but have been running it on
our Ubuntu and squeeze systems with zero problems.

David Adam
UCC Wheel Member




To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Replies Reply to this message
#3 Arthur de Jong
December 10th, 2010 - 09:40 am ET | Report spam

On Fri, 2010-12-10 at 11:42 +0800, David Adam wrote:
libnss-ldapd should be used to replace libnss-ldap on squeeze upgrades. I
am still a touch wary of libnss-ldapd, only in that adding the daemon
introduces an additional point of failure, but have been running it on
our Ubuntu and squeeze systems with zero problems.



I agree that adding an extra interface opens a possibility for problems
but it also allows for better separation. If the daemon is not running
more things could go wrong and I welcome improvements for that (e.g.
possibly starting earlier during the boot sequence and poll the LDAP
server until it is available or improved availability during upgrades).
On the other hand its operation is much simpler than with nss_ldap
because the daemon can hold some state as to whether the LDAP server is
available or not and failure when the LDAP server is unavailable is much
faster (will not hang the whole system).

Also, the daemon always runs as an unprivileged user and security of the
LDAP authentication credentials (bind password) is much more robust.

There are some differences between nss_ldap on one end and nss-pam-ldapd
on the other. nss-pam-ldapd does not currently support nested groups and
has less features in the password changing operation so it's not a
drop-in replacement for all configurations (yet).

I've also been using it without problems. There are some issues when
using Microsoft Active Directory (memory leak when chasing referrals and
a problem in the timeout handling) but I've personally had less issues
with nss-ldapd than with nss_ldap.

I don't know if it's possible (or wise) to automatically upgrade from
libnss-ldap to libnss-ldapd on a lenny->sqeeze upgrade but for people
who switch it should already be quite smooth (configuration is migrated
automatically in most cases).

If no-one thinks it is a bad idea I can change the earlier text to be a
recommendation to switch to nss-pam-ldapd instead of a proposed
workaround.








To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Replies Reply to this message
#4 Julien Cristau
December 27th, 2010 - 10:40 am ET | Report spam

On Mon, Dec 27, 2010 at 16:15:38 +0100, Arthur de Jong wrote:

On Fri, 2010-12-10 at 15:31 +0100, Arthur de Jong wrote:
> If no-one thinks it is a bad idea I can change the earlier text to be a
> recommendation to switch to nss-pam-ldapd instead of a proposed
> workaround.

I've updated the patch to the release notes (attached) to become a
recommendation to switch to nss-pam-ldapd.



Thanks.

[snip]

Also, do you think it is a good idea to highlight the switch to
nss-pam-ldapd a bit more in the "What's new" section? I think it should
also be a good idea to switch for people not affected by this specific
problem. I can provide a patch if needed.



Sounds like a good plan to me.

Index: en/issues.dbk
=
en/issues.dbk (revision 7951)
+++ en/issues.dbk (working copy)
@@ -12,7 +12,7 @@

<section id="problems">
<title>Potential problems</title>
-<para>
+<para>
Sometimes, changes introduced in a new release have side-effects
we cannot reasonably avoid, or they expose
bugs somewhere else. This section documents issues we are aware of. Please also



Unrelated, please drop this hunk.

@@ -434,6 +434,40 @@
</para>
</section>

+<section id="ldap">
+ <title><acronym>LDAP</acronym> support</title>
+ <indexterm><primary>LDAP</primary></indexterm>
+ <para>
+ A feature in the cryptography libraries used in the
+ <acronym>LDAP</acronym> libraries causes programs that use
+ <acronym>LDAP</acronym> and attempt to change their effective
+ privileges to fail when connecting to an <acronym>LDAP</acronym>
+ server using <acronym>TLS</acronym> or <acronym>SSL</acronym>.
+ This can cause problems for <command>sudo</command> and
+ <command>su</command> when using
+ <systemitem role="package">libnss-ldap</systemitem> or
+ with <systemitem role ="package">sudo-ldap</systemitem>.



I think schroot may be affected as well (#589884).

+ </para>
+ <para>
+ It is recommended to replace the
+ <systemitem role="package">libnss-ldap</systemitem> package with
+ <systemitem role="package">libnss-ldapd</systemitem>, a newer library
+ which uses separate daemon (<command>nslcd</command>) for all
+ <acronym>LDAP</acronym> lookups. The replacement for
+ <systemitem role="package">libpam-ldap</systemitem> is
+ <systemitem role="package">libpam-ldapd</systemitem>.
+ </para>
+ <para>
+ Note that <systemitem role="package">libnss-ldapd</systemitem> recommends
+ the NSS caching daemon (<command>nscd</command>) which you should evaluate
+ for suitability in your environment before installing.



Maybe mention unscd here, it's supposedly less crashy than nscd.

+ </para>
+ <para>
+ Further information is available in bugs
+ <ulink url="&url-bts;566351">#566351</ulink> and
+ <ulink url="&url-bts;545414">#545414</ulink>.
+ </para>
+</section>

<section id="kde-desktop-changes" condition="fixme">
<title>KDE desktop</title>



Thanks for the patch!

Cheers,
Julien






To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Archive: http://lists.debian.org/
Replies Reply to this message
#5 Julien Cristau
December 27th, 2010 - 11:50 am ET | Report spam

On Mon, Dec 27, 2010 at 17:39:25 +0100, Arthur de Jong wrote:

I will prepare a patch (or would you prefer something in the
NewInSqueeze wiki page?).



A patch would be good, I think.

Do you want me to commit this part (new version attached)?



For this one:
Acked-by: Julien Cristau

Cheers,
Julien






To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact
Replies Reply to this message
Help Create a new topicNext page Replies Make a reply
Search Make your own search