[Pkg-openldap-devel] Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users
Julien Cristau
jcristau at debian.org
Mon Dec 27 15:36:32 UTC 2010
On Mon, Dec 27, 2010 at 16:15:38 +0100, Arthur de Jong wrote:
> On Fri, 2010-12-10 at 15:31 +0100, Arthur de Jong wrote:
> > If no-one thinks it is a bad idea I can change the earlier text to be a
> > recommendation to switch to nss-pam-ldapd instead of a proposed
> > workaround.
>
> I've updated the patch to the release notes (attached) to become a
> recommendation to switch to nss-pam-ldapd.
>
Thanks.
[snip]
>
> Also, do you think it is a good idea to highlight the switch to
> nss-pam-ldapd a bit more in the "What's new" section? I think it should
> also be a good idea to switch for people not affected by this specific
> problem. I can provide a patch if needed.
>
Sounds like a good plan to me.
> Index: en/issues.dbk
> ===================================================================
> --- en/issues.dbk (revision 7951)
> +++ en/issues.dbk (working copy)
> @@ -12,7 +12,7 @@
>
> <section id="problems">
> <title>Potential problems</title>
> -<para>
> +<para>
> Sometimes, changes introduced in a new release have side-effects
> we cannot reasonably avoid, or they expose
> bugs somewhere else. This section documents issues we are aware of. Please also
Unrelated, please drop this hunk.
> @@ -434,6 +434,40 @@
> </para>
> </section>
>
> +<section id="ldap">
> + <title><acronym>LDAP</acronym> support</title>
> + <indexterm><primary>LDAP</primary></indexterm>
> + <para>
> + A feature in the cryptography libraries used in the
> + <acronym>LDAP</acronym> libraries causes programs that use
> + <acronym>LDAP</acronym> and attempt to change their effective
> + privileges to fail when connecting to an <acronym>LDAP</acronym>
> + server using <acronym>TLS</acronym> or <acronym>SSL</acronym>.
> + This can cause problems for <command>sudo</command> and
> + <command>su</command> when using
> + <systemitem role="package">libnss-ldap</systemitem> or
> + with <systemitem role ="package">sudo-ldap</systemitem>.
I think schroot may be affected as well (#589884).
> + </para>
> + <para>
> + It is recommended to replace the
> + <systemitem role="package">libnss-ldap</systemitem> package with
> + <systemitem role="package">libnss-ldapd</systemitem>, a newer library
> + which uses separate daemon (<command>nslcd</command>) for all
> + <acronym>LDAP</acronym> lookups. The replacement for
> + <systemitem role="package">libpam-ldap</systemitem> is
> + <systemitem role="package">libpam-ldapd</systemitem>.
> + </para>
> + <para>
> + Note that <systemitem role="package">libnss-ldapd</systemitem> recommends
> + the NSS caching daemon (<command>nscd</command>) which you should evaluate
> + for suitability in your environment before installing.
Maybe mention unscd here, it's supposedly less crashy than nscd.
> + </para>
> + <para>
> + Further information is available in bugs
> + <ulink url="&url-bts;566351">#566351</ulink> and
> + <ulink url="&url-bts;545414">#545414</ulink>.
> + </para>
> +</section>
>
> <section id="kde-desktop-changes" condition="fixme">
> <title>KDE desktop</title>
Thanks for the patch!
Cheers,
Julien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20101227/ebc2cab0/attachment.pgp>
More information about the Pkg-openldap-devel
mailing list