[Pkg-openldap-devel] Bug#579647: Bug#579647: nss-ldap changing uid due to using gcrypt somewhere...
Quanah Gibson-Mount
quanah at zimbra.com
Thu Apr 29 15:14:46 UTC 2010
--On Thursday, April 29, 2010 10:36 PM +0900 Ansgar Burchardt
<ansgar at 43-1.org> wrote:
> Package: libnss-ldap,libldap-2.4-2
> Version: libnss-ldap/264-2.1
> Version: libldap-2.4-2/2.4.17-2.1
>
> Hi,
>
> libgcrypt11 has the "feature" of changing the real uid if it differs
> from the effective user id and the effective user id is 0 [1]. This
> comes from a time when programs had to be setuid root in order to use
> mlock() to protect memory containing private keys.
>
> This means that setuid applications using nss-ldap with a SSL connection
> will lose their elevated privileges (unless a daemon such as nscd is
> used). Thus applications like su, sudo, at, ... do longer work
> correctly. Sadly upstream seems to consider this side effect in
> libgcrypt a feature and seems not willing to change it.
>
> One way to solve this problem would having a separate libldap package
> that links against OpenSSL [2] and could be used by libraries such as
> libnss-ldap.
Or Debian could use nss-ldapd with nslcd, and not have to introduce OpenSSL
at all. Long term, it would of course be best to use the slapo-nssov
overlay.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
More information about the Pkg-openldap-devel
mailing list