[Pkg-openldap-devel] Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users

Julien Cristau jcristau at debian.org
Mon Dec 27 15:36:32 UTC 2010


On Mon, Dec 27, 2010 at 16:15:38 +0100, Arthur de Jong wrote:

> On Fri, 2010-12-10 at 15:31 +0100, Arthur de Jong wrote:
> > If no-one thinks it is a bad idea I can change the earlier text to be a
> > recommendation to switch to nss-pam-ldapd instead of a proposed
> > workaround.
> 
> I've updated the patch to the release notes (attached) to become a
> recommendation to switch to nss-pam-ldapd.
> 
Thanks.

[snip]
> 
> Also, do you think it is a good idea to highlight the switch to
> nss-pam-ldapd a bit more in the "What's new" section? I think it should
> also be a good idea to switch for people not affected by this specific
> problem. I can provide a patch if needed.
> 
Sounds like a good plan to me.

> Index: en/issues.dbk
> ===================================================================
> --- en/issues.dbk	(revision 7951)
> +++ en/issues.dbk	(working copy)
> @@ -12,7 +12,7 @@
>  
>  <section id="problems">
>  <title>Potential problems</title>
> -<para> 
> +<para>
>  Sometimes, changes introduced in a new release have side-effects
>  we cannot reasonably avoid, or they expose
>  bugs somewhere else. This section documents issues we are aware of.  Please also

Unrelated, please drop this hunk.

> @@ -434,6 +434,40 @@
>  </para>
>  </section>
>  
> +<section id="ldap">
> +  <title><acronym>LDAP</acronym> support</title>
> +  <indexterm><primary>LDAP</primary></indexterm>
> +  <para>
> +    A feature in the cryptography libraries used in the
> +    <acronym>LDAP</acronym> libraries causes programs that use
> +    <acronym>LDAP</acronym> and attempt to change their effective
> +    privileges to fail when connecting to an <acronym>LDAP</acronym>
> +    server using <acronym>TLS</acronym> or <acronym>SSL</acronym>.
> +    This can cause problems for <command>sudo</command> and
> +    <command>su</command> when using
> +    <systemitem role="package">libnss-ldap</systemitem> or
> +    with <systemitem role ="package">sudo-ldap</systemitem>.

I think schroot may be affected as well (#589884).

> +  </para>
> +  <para>
> +    It is recommended to replace the
> +    <systemitem role="package">libnss-ldap</systemitem> package with
> +    <systemitem role="package">libnss-ldapd</systemitem>, a newer library
> +    which uses separate daemon (<command>nslcd</command>) for all
> +    <acronym>LDAP</acronym> lookups. The replacement for
> +    <systemitem role="package">libpam-ldap</systemitem> is
> +    <systemitem role="package">libpam-ldapd</systemitem>.
> +  </para>
> +  <para>
> +    Note that <systemitem role="package">libnss-ldapd</systemitem> recommends
> +    the NSS caching daemon (<command>nscd</command>) which you should evaluate
> +    for suitability in your environment before installing.

Maybe mention unscd here, it's supposedly less crashy than nscd.

> +  </para>
> +  <para>
> +    Further information is available in bugs
> +    <ulink url="&url-bts;566351">#566351</ulink> and
> +    <ulink url="&url-bts;545414">#545414</ulink>.
> +  </para>
> +</section>
>  
>  <section id="kde-desktop-changes" condition="fixme">
>  <title>KDE desktop</title>

Thanks for the patch!

Cheers,
Julien

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20101227/ebc2cab0/attachment.pgp>


More information about the Pkg-openldap-devel mailing list