[Pkg-openldap-devel] Bug#545414: Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users

David Adam zanchey at ucc.gu.uwa.edu.au
Fri Dec 10 03:42:59 UTC 2010


On Thu, 9 Dec 2010, Dan White wrote:
> On 09/12/10 22:37 +0100, Arthur de Jong wrote:
> > On Mon, 2010-12-06 at 23:59 +0800, David Adam wrote:
> > > This bit us on trial upgrades to Squeeze, and as this has not yet been
> > > fixed I would strongly recommend a section in the release notes on
> > > "Possible issues during upgrade" or "Issues to be aware of for squeeze",
> > > perhaps along the following lines:
> > 
> > Attached is a patch for the release notes on this. I've used David's
> > text as a basis.
> > 
> > I've been thinking about encouraging more users to switch to
> > libnss-ldapd. It solves quite a few of the problems in libnss-ldap and
> > is also better maintained. However, since I'm both the Debian maintainer
> > and upstream I'm a bit biased.
> 
> I'll offer an unbiased +1 for libnss-ldapd.

Having thought about this a bit more, I'm nominating this for RC status. 
This bug potentially locks administrators out of their own systems if they 
upgrade and then close their root session or reboot without any way of 
logging in as root directly (which many sites consider best practice).

As well as sudo(8) and su(8), it also affects Apache's suexec and atd(8).

libnss-ldapd should be used to replace libnss-ldap on squeeze upgrades. I 
am still a touch wary of libnss-ldapd, only in that adding the daemon 
introduces an additional point of failure, but have been running it on 
our Ubuntu and squeeze systems with zero problems.

David Adam
UCC Wheel Member
zanchey at ucc.gu.uwa.edu.au


More information about the Pkg-openldap-devel mailing list