Bug#658896: [PATCH] Fix dropping privileges issue on setuid programs on systems with PAM/LDAP and GnuTLS/libgcrypt

Carlos Alberto Lopez Perez clopez at igalia.com
Thu Jan 24 23:44:21 UTC 2013

reassign 368297 libldap-2.4 2.4.31-1


I have been digging on this issue and I found the ultimate cause of this

When sudo/su/passwd/<insert-any-setuid-program-that-calls-getpwent()> on
a system configured with PAM/LDAPs it chains into libldap, which uses
GnuTLS/libgcrypt to manage the TLS channel.

The problem is that when OpenLDAP calls gnutls_global_init(), this
function does nothing because OpenLDAP had previously already
initialized libgcrypt at some point on the stack (probably by mistake).

So, gnutls_global_init() checks that some basic initialization of
libgcrypt was already done and skips completely any action.

The problem is that gnutls_global_init() is supposed to set the flag
GCRYCTL_DISABLE_SECMEM which disables both the use of secure memory
*and* the "feature" of dropping privileges that libgcrypt has. [1]

So, what is happening is that the initialization of libgcrypt is not
being done as expected.

I cooked a very small patch that, just after calling
gnutls_global_init() checks if the initialization was successful, and if
was not, then it sets this flag (DISABLE_SECMEM)

I understand that (perhaps) the right fix could be to patch GnuTLS to
there are two problems with this:

 * One is that this could introduce some regression or bug on some
program that could be (wrongly) relying on this "feature" of GnuTLS.
Keep in mind that this code has been there since the beginning of the
project (I was blaming the git repository)

* The second problem is that GnutTLS (upstream) completely dropped the
support for libgcrypt (they even removed the code). So IMHO it don't
makes sense to fix GnuTLS at this point. For Jessie, GnuTLS should
switch to nettle. And OpenLDAP will have to switch to another crypto
library other than libgcrypt, or will have to patch the file
libraries/libldap/tls_g.c to stop using any GnuTLS code.

So, for the moment (Wheezy) I think the best approach to solve this bug
is to apply the small patch for OpenLDAP that I'm attaching.
It is the less intrusive approach to fix this bug. It don't needs to
touch anything on GnuTLS or libgcrypt. It is really fixing the problem
where is: OpenLDAP is not setting DISABLE_SECMEM when initializing

The approach taken by Ubuntu, to patch libgcrypt (LP: #423252), already
caused some regressions (LP: #1013798)

If someone wants to try it, I have uploaded the debs (AMD64) and the
sources to this URL:


I tested that with this small patch the problem goes completely away.

Example of test:
1) Install current libldap-2.4-2 from Wheezy and test sudo:
root ~ # apt-get install --reinstall libldap-2.4-2=2.4.31-1

clopez ~ $ sudo whoami
[sudo] password for clopez:
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: unable to open /var/lib/sudo/clopez/8: Operation not permitted
sudo: unable to set supplementary group IDs: Operation not permitted
sudo: unable to execute /usr/bin/whoami: Operation not permitted

2) Install fixed libldap-2.4-2 and test sudo:
root ~ # wget
root ~ # dpkg -i libldap-2.4-2_2.4.31-1.1_amd64.deb

clopez ~ $ sudo whoami
[sudo] password for clopez:

Therefore I'm reassigning this bug to libldap-2.4 (src:OpenLDAP)

Attached is also a debdiff for src:OpenLDAP

Read the comments inside the patch for further information.

I'm CC'ing libgcrypt/OpenLDAP/GnuTLS maintainers and will be later
reporting on Ubuntu's LP this.


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: debdiff_openldap_fix-dropping-privileges-by-libgcrypt-secmem.debdiff
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20130125/b82b6f1e/attachment-0015.ksh>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix-dropping-privileges-by-libgcrypt-secmem.diff
Type: text/x-diff
Size: 2731 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20130125/b82b6f1e/attachment-0015.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20130125/b82b6f1e/attachment-0015.pgp>

More information about the Pkg-gnutls-maint mailing list