Bug#658739: gnutls26: LDAP+SSL account cannot use setuid binaries until gnutls26 is rebuilt with nettle not libgcrypt11
Ken Stailey
kstailey at yahoo.com
Sun Feb 5 17:32:35 UTC 2012
Package: gnutls26
Version: libgnutls26
Severity: important
Dear Maintainer,
If your account is an LDAP one and your LDAP client connects to its
LDAP server via SSL then running setuid programs from your account
fail since libgcrypt11 is horribly broken and upstream GnuTLS
no longer recommends using it as the backend crypto library:
http://lists.debian.org/debian-legal/2011/02/msg00006.html
In the past it was possible to work around this by using nscd
but that work around no longer has any effect.
When I rebuild gnutls26 with nettle I am able to use setuid binaries
from my LDAP account which connects via SSL to its LDAP server.
Reproducing:
1. Install an OpenLDAP server that speaks LDAP over SSL.
2. Install Debian Testing or Unstable and configure it to be an LDAP
client that connects via to its LDAP server via SSL.
3. Log into the Debian system created in step using an LDAP account
not an account in /etc/passwd.
4. Attempt to use sudo. You will see unexpected results:
$ sudo id
[sudo] password for user:
sudo: setresuid(ROOT_UID, ROOT_UID, ROOT_UID): Operation not permitted
sudo: unable to open /var/lib/sudo/user/1: Operation not permitted
sudo: unable to set gid to runas gid 0: Operation not permitted
sudo: unable to execute /usr/bin/id: Operation not permitted
$
5. Attempt to use sudo. You will see expected results:
$ sudo id
[sudo] password for user:
uid=0(root) gid=0(root) groups=0(root)
See also:
https://bugs.launchpad.net/bugs/926350
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-1-amd64 (SMP w/3 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
More information about the Pkg-gnutls-maint
mailing list