[Pkg-openldap-devel] Bug#579647: nss-ldap changing uid due to using gcrypt somewhere...
Ansgar Burchardt
ansgar at 43-1.org
Thu Apr 29 13:36:06 UTC 2010
Package: libnss-ldap,libldap-2.4-2
Version: libnss-ldap/264-2.1
Version: libldap-2.4-2/2.4.17-2.1
Hi,
libgcrypt11 has the "feature" of changing the real uid if it differs
from the effective user id and the effective user id is 0 [1]. This
comes from a time when programs had to be setuid root in order to use
mlock() to protect memory containing private keys.
This means that setuid applications using nss-ldap with a SSL connection
will lose their elevated privileges (unless a daemon such as nscd is
used). Thus applications like su, sudo, at, ... do longer work
correctly. Sadly upstream seems to consider this side effect in
libgcrypt a feature and seems not willing to change it.
One way to solve this problem would having a separate libldap package
that links against OpenSSL [2] and could be used by libraries such as
libnss-ldap.
Regards,
Ansgar
[1] <http://bugs.debian.org/566351>
<https://bugs.launchpad.net/bugs/423252>
[2] I understand that the package uses GnuTLS/gcrypt to be
GPL-compatible, so this would be in addition to the present
package.
More information about the Pkg-openldap-devel
mailing list