[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#298148: kdebase-bin: kcheckpass needs setuid bit for ldap authentication

Package: kdebase-bin
Severity: normal


Subject: kdebase-bin: kcheckpass won't use ldap authentication without setuid
Package: kdebase-bin
Version: 4:3.3.2-1
Severity: normal



-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (650, 'unstable'), (600, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-2-386
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages kdebase-bin depends on:
ii  kdelibs4                 4:3.3.2-1       KDE core libraries
ii  libart-2.0-2             2.3.17-1        Library of functions for 2D graphi
ii  libc6                    2.3.2.ds1-20    GNU C Library: Shared libraries an
ii  libfam0c102              2.7.0-6         client library to control the FAM 
ii  libgcc1                  1:3.4.3-9       GCC support library
ii  libice6                  4.3.0.dfsg.1-10 Inter-Client Exchange library
ii  libidn11                 0.5.2-3         GNU libidn library, implementation
ii  libpam-runtime           0.76-22         Runtime support for the PAM librar
ii  libpam0g                 0.76-22         Pluggable Authentication Modules l
ii  libpng12-0               1.2.8rel-1      PNG library - runtime
ii  libqt3c102-mt            3:3.3.3-8       Qt GUI Library (Threaded runtime v
ii  libsm6                   4.3.0.dfsg.1-10 X Window System Session Management
ii  libstdc++5               1:3.3.5-8       The GNU Standard C++ Library v3
ii  libx11-6                 4.3.0.dfsg.1-10 X Window System protocol client li
ii  libxext6                 4.3.0.dfsg.1-10 X Window System miscellaneous exte
ii  libxrender1              0.8.3-7         X Rendering Extension client libra
ii  libxtst6                 4.3.0.dfsg.1-10 X Window System event recording an
ii  xlibs                    4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu
ii  zlib1g                   1:1.2.2-4       compression library - runtime

-- no debconf information

More potentially useful stuff:

ii  libldap2       2.1.30-3       OpenLDAP libraries
ii  libnss-ldap    220-1          NSS module for using LDAP as a naming servic
ii  libpam-ldap    169-1          Pluggable Authentication Module allowing LDA
ii  kdebase-bin    3.3.2-1        KDE Base (binaries)
ii  libpam-modules 0.76-22        Pluggable Authentication Modules for PAM
ii  libpam-runtime 0.76-22        Runtime support for the PAM library
ii  libpam0g       0.76-22        Pluggable Authentication Modules library

This may somewhat relate to bug #212212...

It looks like it is a known issue with kcheckpass and ldap
authentication that kcheckpass needs to be setuid.  See
http://lists.fini.net/pipermail/ldap-interop/2005-January/000208.html
and search for kcheckpass.

kscreensaver invokes kcheckpass like so:

kcheckpass -c kscreensaver -m classic -S 13

This results in:

Communication breakdown on write

Once kcheckpass is setuid it works.  According to the post referenced
above, the real fix is to write a setuid wrapper to access the
credentials cache.  I don't know if debian is even using that cache; I
can't find it.

Regardless, kcheckpass will fail when ldap authentication is used
currently.  Adding the setuid bit fixes it.  This should probably be
considered a workaround until a safer, more permanent fix is found.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (650, 'unstable'), (600, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-1-386
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Reply to: