Bug#216244: [libc6] Incomplete interaction with nscd

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#216244: [libc6] Incomplete interaction with nscd
From: "Nikita V. Youshchenko" <yoush@cs.msu.su>
Date: Fri, 17 Oct 2003 18:03:30 +0400
Message-id: <[🔎] E1AAVCU-00010O-00@zigzag.lvk.cs.msu.su>
Reply-to: "Nikita V. Youshchenko" <yoush@cs.msu.su>, 216244@bugs.debian.org

Package: libc6
Version: 2.3.2-8
Severity: normal

Several time ago, what I was migrating my systems to LDAP, I noticed
some nss-related trouble (e.g. finger was unable to show information
about LDAP users, although /etc/nsswitch was set correctly, and other
tools worked).
I even reported several bugs on such issues.

Some experiments have shown the problem was that /etc/libnss-ldap.conf
was not world readable. I made it 644, and the problems disappeared. So
I closed all bug reports on issue, saying it was local misconfiguration.

However, 644 is not appropriate permissions for /etc/libnss-ldap.conf.
With such permissions, user password hashes may be read from LDAP by
anyone. It's equivalent of world-readable /etc/shadow.

Saying nothing about /etc/libnss-ldap.conf may contain LDAP bind
password on some setups ...

I guess that the correct permissions for /etc/libnss-ldap.conf is 600.
And it is nscd (that runs as root) that should do binds to LDAP.
And in fact is happens in that way - as soon as many apps do work
correctly with 600 permissions on /etc/libnss-ldap.conf
But e.g. finger does cause scenario where interaction between nscd and
libc6 is invalid.

Example:

nikita@zigzag:~> finger test
Login: test                             Name: test
Directory: /home/test                   Shell: /bin/bash
Last login Wed Oct 15 17:45 (MSD) on tty3
Mail last read Tue Sep 23 19:28 2003 (MSD)
No Plan.

nikita@zigzag:~> sudo chmod 600 /etc/libnss-ldap.conf

nikita@zigzag:~> finger test
finger: test: no such user.

nikita@zigzag:~> sudo chmod 644 /etc/libnss-ldap.conf

nikita@zigzag:~> finger test
Login: test                             Name: test
Directory: /home/test                   Shell: /bin/bash
Last login Wed Oct 15 17:45 (MSD) on tty3
Mail last read Tue Sep 23 19:28 2003 (MSD)
No Plan.

nikita@zigzag:~> ps aux | grep nscd
root     13538  0.0  0.2 37372 6144 ?        S    Oct13   1:29 /usr/sbin/nscd
root     13539  0.0  0.2 37372 6144 ?        S    Oct13   0:03 /usr/sbin/nscd
root     13540  0.0  0.2 37372 6144 ?        S    Oct13   1:26 /usr/sbin/nscd
root     13541  0.0  0.2 37372 6144 ?        S    Oct13   1:04 /usr/sbin/nscd
root     13542  0.0  0.2 37372 6144 ?        S    Oct13   1:05 /usr/sbin/nscd
root     13543  0.0  0.2 37372 6144 ?        S    Oct13   1:07 /usr/sbin/nscd
root     13544  0.0  0.2 37372 6144 ?        S    Oct13   1:05 /usr/sbin/nscd
nikita    3713  0.0  0.0  2876  732 pts/15   S    18:01   0:00 grep nscd


-- System Information:
Debian Release: 3.0
Architecture: i386
Kernel: Linux zigzag 2.4.22-smp #1 SMP Птн Сен 12 18:01:54 MSD 2003 i686
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R

Versions of packages libc6 depends on:
ii  libdb1-compat                 2.1.3-7    The Berkeley database routines [gl

-- no debconf information

Reply to:

Prev by Date: Bug#156923: nscd segfault when request not found in cache
Next by Date: Processed: sumitter 104227
Previous by thread: Bug#156923: nscd segfault when request not found in cache
Next by thread: Processed: sumitter 104227
Index(es):
- Date
- Thread