Bug#298148: kdebase-bin: kcheckpass needs setuid bit for ldap authentication
Package: kdebase-bin
Severity: normal
Subject: kdebase-bin: kcheckpass won't use ldap authentication without setuid
Package: kdebase-bin
Version: 4:3.3.2-1
Severity: normal
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (650, 'unstable'), (600, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-2-386
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages kdebase-bin depends on:
ii kdelibs4 4:3.3.2-1 KDE core libraries
ii libart-2.0-2 2.3.17-1 Library of functions for 2D graphi
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libfam0c102 2.7.0-6 client library to control the FAM
ii libgcc1 1:3.4.3-9 GCC support library
ii libice6 4.3.0.dfsg.1-10 Inter-Client Exchange library
ii libidn11 0.5.2-3 GNU libidn library, implementation
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libqt3c102-mt 3:3.3.3-8 Qt GUI Library (Threaded runtime v
ii libsm6 4.3.0.dfsg.1-10 X Window System Session Management
ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library v3
ii libx11-6 4.3.0.dfsg.1-10 X Window System protocol client li
ii libxext6 4.3.0.dfsg.1-10 X Window System miscellaneous exte
ii libxrender1 0.8.3-7 X Rendering Extension client libra
ii libxtst6 4.3.0.dfsg.1-10 X Window System event recording an
ii xlibs 4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu
ii zlib1g 1:1.2.2-4 compression library - runtime
-- no debconf information
More potentially useful stuff:
ii libldap2 2.1.30-3 OpenLDAP libraries
ii libnss-ldap 220-1 NSS module for using LDAP as a naming servic
ii libpam-ldap 169-1 Pluggable Authentication Module allowing LDA
ii kdebase-bin 3.3.2-1 KDE Base (binaries)
ii libpam-modules 0.76-22 Pluggable Authentication Modules for PAM
ii libpam-runtime 0.76-22 Runtime support for the PAM library
ii libpam0g 0.76-22 Pluggable Authentication Modules library
This may somewhat relate to bug #212212...
It looks like it is a known issue with kcheckpass and ldap
authentication that kcheckpass needs to be setuid. See
http://lists.fini.net/pipermail/ldap-interop/2005-January/000208.html
and search for kcheckpass.
kscreensaver invokes kcheckpass like so:
kcheckpass -c kscreensaver -m classic -S 13
This results in:
Communication breakdown on write
Once kcheckpass is setuid it works. According to the post referenced
above, the real fix is to write a setuid wrapper to access the
credentials cache. I don't know if debian is even using that cache; I
can't find it.
Regardless, kcheckpass will fail when ldap authentication is used
currently. Adding the setuid bit fixes it. This should probably be
considered a workaround until a safer, more permanent fix is found.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (650, 'unstable'), (600, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-1-386
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Reply to: