Re: libnss consolidation
- To: debian-devel@lists.debian.org
- Subject: Re: libnss consolidation
- From: Arto Jantunen <viiru@debian.org>
- Date: Sat, 01 Jun 2013 13:25:11 +0300
- Message-id: <[🔎] 87y5aup1q0.fsf@iki.fi>
- In-reply-to: <CAA0ZO6CHGG3kYs1sC1LAV1-cdcNEkeBD60Axz5iz6v4VrVZmRg@mail.gmail.com> (sfid-20130531_135813_792755_37A13F6F) (Brian May's message of "Fri, 31 May 2013 20:57:37 +1000")
- References: <519F41BD.10108@nikhef.nl> <20130525122708.GA29404@falafel.plessy.net> <CAE2SPAZaV0px6cSDYP1CZxHEs0qJZBm+mEBGztaFH6+Vc9bCuA@mail.gmail.com> <51A72EE6.7040808@nikhef.nl> <CAE2SPAa4BN36E02xMYraDy7P7JKLN6Cbm+ncLYn1j-yz-F+DAw@mail.gmail.com> <51A74103.5040005@nikhef.nl> <CAE2SPAb+v+nGXSsTGun95d7T2JU2iSgwgujj-S5JOzvW8209Zg@mail.gmail.com> <20130531024208.GL261986@vauxhall.crustytoothpaste.net> <CAE2SPAZib3iEZzLA-sd3r0Ft7FF6pdXKvKRZgXdsN1D7Fozcsg@mail.gmail.com> <CAA0ZO6CHGG3kYs1sC1LAV1-cdcNEkeBD60Axz5iz6v4VrVZmRg@mail.gmail.com>
Brian May <brian@microcomaustralia.com.au> writes:
> On 31 May 2013 20:19, Bastien ROUCARIES <roucaries.bastien@gmail.com> wrote:
>
>> Gnutls is really crappy about suid
>> see http://lists.debian.org/debian-devel/2010/03/msg00298.html
>
>
> 2+ years later or 2 Debian releases later, I would have hoped these issues
> would be, somehow, magically, fixed by now :-(
>
> Basically makes libpam-ldap + TLS broken with certain programs.
>
> libnss-ldap is probably also broken, but seems you should be using
> libnss-ldapd these days which may (?) avoid these problems.
Yes, libpam-ldapd does avoid this problem. The ldap connections are
managed by a separate daemon (nslcd) that runs as a limited user account
and isn't suid. The pam (and nss) modules then contact this daemon via a
socket to run ldap queries. In addition to avoiding the gnutls bugs this
brings better latency and connection pooling (with libnss-ldap one needs
an ldap connection per nss using process, these pile up quite fast
indeed).
--
Arto Jantunen
Reply to: