[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

LDAP breaks kcheckpass when not setuid root (#298148)

Dear list...

someone (curse you, Matthijs) motivated me to dump NIS in favor of LDAP
for user accounts on my small home net. Good thing I did it during my
vacation because it's not as trivial as I hoped.

I'm unhappy with the outcome of the bug #298148 (kdebase-bin: kcheckpass
needs setuid bit for ldap authentication). When using libnss-ldap and
libpam-ldap (optionally) people who lock their screen in KDE will not be
able to unlock the screen and may (like me) lose data because they
finally give up and Ctrl+Alt+Backspace. :( It turned out that unlocking
the screen currently only works if the /usr/bin/kcheckpass binary is
made setuid root. I don't like to just reopen that bug but IMO users
should be made aware of that problem. There are several possible ways:

- generally setting it setuid root by default
  (security risk but a solution without user interaction)
- a debconf question of kdebase-bin setting the binary setuid root
  (does not help if KDE is installed and users later decide to use LDAP
  because the question doesn't get asked)
- a debconf warning in libnss-ldap
  (a good place IMO although it's not the fault of libnss-ldap)
- doing nothing (current state)
  (wastes users' time and may eventually make them give up with LDAP
  or KDE)

This problem shouldn't be too uncommon because KDE and LDAP sounds to me
like it could be an organisations standard desktop client.

By the way: having "nscd" installed gives different error messages but
the problem is the same.

".signature" [Modified] 1 line --100%--                1,48         All

Reply to: