[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#545414: sudo-ldap: sudo fails with "sudo: setreuid(ROOT_UID, user_uid): Operation not permitted" for ldap users

On Mon, 2010-12-27 at 16:36 +0100, Julien Cristau wrote:
> > Also, do you think it is a good idea to highlight the switch to
> > nss-pam-ldapd a bit more in the "What's new" section? I think it should
> > also be a good idea to switch for people not affected by this specific
> > problem. I can provide a patch if needed.
> Sounds like a good plan to me.

I will prepare a patch (or would you prefer something in the
NewInSqueeze wiki page?).

Do you want me to commit this part (new version attached)?

> >  <title>Potential problems</title>
> > -<para> 
> > +<para>
> >  Sometimes, changes introduced in a new release have side-effects
> Unrelated, please drop this hunk.

Oops, editor automatically removing trailing spaces.

> I think schroot may be affected as well (#589884).

Rephrased a bit and added schroot.

> > +    Note that <systemitem role="package">libnss-ldapd</systemitem> recommends
> > +    the NSS caching daemon (<command>nscd</command>) which you should evaluate
> > +    for suitability in your environment before installing.
> Maybe mention unscd here, it's supposedly less crashy than nscd.

I didn't think unscd would make it into squeeze but it's great that it
will. I've added a line about unscd. I'm using unscd on my box without
issues but then again, I never really ran into major issues with nscd.

-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
Index: en/release-notes.dbk
--- en/release-notes.dbk	(revision 7951)
+++ en/release-notes.dbk	(working copy)
@@ -390,6 +390,14 @@
     <glossdef><para>Serial Advanced Technology Attachment</para></glossdef>
+    <glossterm>SSL</glossterm>
+    <glossdef><para>Secure Sockets Layer</para></glossdef>
+  </glossentry>
+  <glossentry>
+    <glossterm>TLS</glossterm>
+    <glossdef><para>Transport Layer Security</para></glossdef>
+  </glossentry>
+  <glossentry>
     <glossdef><para>Universal Serial Bus</para></glossdef>
Index: en/issues.dbk
--- en/issues.dbk	(revision 7951)
+++ en/issues.dbk	(working copy)
@@ -434,6 +434,44 @@
+<section id="ldap">
+  <title><acronym>LDAP</acronym> support</title>
+  <indexterm><primary>LDAP</primary></indexterm>
+  <para>
+    A feature in the cryptography libraries used in the
+    <acronym>LDAP</acronym> libraries causes programs that use
+    <acronym>LDAP</acronym> and attempt to change their effective
+    privileges to fail when connecting to an <acronym>LDAP</acronym>
+    server using <acronym>TLS</acronym> or <acronym>SSL</acronym>.
+    This can cause problems for suid programs on systems using
+    <systemitem role="package">libnss-ldap</systemitem> like
+    <command>sudo</command>, <command>su</command> or
+    <command>schroot</command> and for suid programs that perform LDAP
+    searches like <systemitem role ="package">sudo-ldap</systemitem>.
+  </para>
+  <para>
+    It is recommended to replace the
+    <systemitem role="package">libnss-ldap</systemitem> package with
+    <systemitem role="package">libnss-ldapd</systemitem>, a newer library
+    which uses separate daemon (<command>nslcd</command>) for all
+    <acronym>LDAP</acronym> lookups. The replacement for
+    <systemitem role="package">libpam-ldap</systemitem> is
+    <systemitem role="package">libpam-ldapd</systemitem>.
+  </para>
+  <para>
+    Note that <systemitem role="package">libnss-ldapd</systemitem> recommends
+    the NSS caching daemon (<systemitem role="package">nscd</systemitem>)
+    which you should evaluate for suitability in your environment before
+    installing.
+    As an alternative to <systemitem role="package">nscd</systemitem> you
+    can consider <systemitem role="package">unscd</systemitem>.
+  </para>
+  <para>
+    Further information is available in bugs
+    <ulink url="&url-bts;566351">#566351</ulink> and
+    <ulink url="&url-bts;545414">#545414</ulink>.
+  </para>
 <section id="kde-desktop-changes" condition="fixme">
 <title>KDE desktop</title>

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: