Bug#298148: marked as done (kdebase-bin: kcheckpass needs setuid bit for ldap authentication)

To: 298148@bugs.debian.org, Adeodato Simó <asp16@alu.ua.es>
Cc: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Subject: Bug#298148: marked as done (kdebase-bin: kcheckpass needs setuid bit for ldap authentication)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Fri, 11 Mar 2005 16:34:22 -0800
Message-id: <[🔎] handler.298148.D298148.11105874001997.ackdone@bugs.debian.org>
In-reply-to: <20050312002953.GA14394@chistera.yi.org>
References: <20050312002953.GA14394@chistera.yi.org> <[🔎] 20050305032325.9CE8FB7D7E@aragorn.davtar.org>

Your message dated Sat, 12 Mar 2005 01:29:53 +0100
with message-id <20050312002953.GA14394@chistera.yi.org>
and subject line Bug#298148: kdebase-bin: kcheckpass needs setuid bit for ldap authentication
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 5 Mar 2005 03:23:18 +0000
>From david@davtar.org Fri Mar 04 19:23:17 2005
Return-path: <david@davtar.org>
Received: from 67.104.0.163.ptr.us.xo.net (aragorn.davtar.org) [67.104.0.163] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1D7Psr-0000Jt-00; Fri, 04 Mar 2005 19:23:17 -0800
Received: from localhost (localhost.localdomain [127.0.0.1])
	by aragorn.davtar.org (Postfix) with ESMTP id AF06AB7D75;
	Fri,  4 Mar 2005 20:23:29 -0700 (MST)
Received: from aragorn.davtar.org ([127.0.0.1])
	by localhost (aragorn [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 29494-10; Fri, 4 Mar 2005 20:23:28 -0700 (MST)
Received: by aragorn.davtar.org (Postfix, from userid 1000)
	id 9CE8FB7D7E; Fri,  4 Mar 2005 20:23:25 -0700 (MST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: David Brown <david@davtar.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: kdebase-bin: kcheckpass needs setuid bit for ldap authentication
X-Mailer: reportbug 3.2
Date: Fri, 04 Mar 2005 20:23:24 -0700
Message-Id: <[🔎] 20050305032325.9CE8FB7D7E@aragorn.davtar.org>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at davtar.org
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: kdebase-bin
Severity: normal


Subject: kdebase-bin: kcheckpass won't use ldap authentication without setuid
Package: kdebase-bin
Version: 4:3.3.2-1
Severity: normal



-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (650, 'unstable'), (600, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-2-386
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages kdebase-bin depends on:
ii  kdelibs4                 4:3.3.2-1       KDE core libraries
ii  libart-2.0-2             2.3.17-1        Library of functions for 2D graphi
ii  libc6                    2.3.2.ds1-20    GNU C Library: Shared libraries an
ii  libfam0c102              2.7.0-6         client library to control the FAM 
ii  libgcc1                  1:3.4.3-9       GCC support library
ii  libice6                  4.3.0.dfsg.1-10 Inter-Client Exchange library
ii  libidn11                 0.5.2-3         GNU libidn library, implementation
ii  libpam-runtime           0.76-22         Runtime support for the PAM librar
ii  libpam0g                 0.76-22         Pluggable Authentication Modules l
ii  libpng12-0               1.2.8rel-1      PNG library - runtime
ii  libqt3c102-mt            3:3.3.3-8       Qt GUI Library (Threaded runtime v
ii  libsm6                   4.3.0.dfsg.1-10 X Window System Session Management
ii  libstdc++5               1:3.3.5-8       The GNU Standard C++ Library v3
ii  libx11-6                 4.3.0.dfsg.1-10 X Window System protocol client li
ii  libxext6                 4.3.0.dfsg.1-10 X Window System miscellaneous exte
ii  libxrender1              0.8.3-7         X Rendering Extension client libra
ii  libxtst6                 4.3.0.dfsg.1-10 X Window System event recording an
ii  xlibs                    4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu
ii  zlib1g                   1:1.2.2-4       compression library - runtime

-- no debconf information

More potentially useful stuff:

ii  libldap2       2.1.30-3       OpenLDAP libraries
ii  libnss-ldap    220-1          NSS module for using LDAP as a naming servic
ii  libpam-ldap    169-1          Pluggable Authentication Module allowing LDA
ii  kdebase-bin    3.3.2-1        KDE Base (binaries)
ii  libpam-modules 0.76-22        Pluggable Authentication Modules for PAM
ii  libpam-runtime 0.76-22        Runtime support for the PAM library
ii  libpam0g       0.76-22        Pluggable Authentication Modules library

This may somewhat relate to bug #212212...

It looks like it is a known issue with kcheckpass and ldap
authentication that kcheckpass needs to be setuid.  See
http://lists.fini.net/pipermail/ldap-interop/2005-January/000208.html
and search for kcheckpass.

kscreensaver invokes kcheckpass like so:

kcheckpass -c kscreensaver -m classic -S 13

This results in:

Communication breakdown on write

Once kcheckpass is setuid it works.  According to the post referenced
above, the real fix is to write a setuid wrapper to access the
credentials cache.  I don't know if debian is even using that cache; I
can't find it.

Regardless, kcheckpass will fail when ldap authentication is used
currently.  Adding the setuid bit fixes it.  This should probably be
considered a workaround until a safer, more permanent fix is found.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (650, 'unstable'), (600, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-1-386
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

---------------------------------------
Received: (at 298148-done) by bugs.debian.org; 12 Mar 2005 00:30:00 +0000
>From asp16@alu.ua.es Fri Mar 11 16:30:00 2005
Return-path: <asp16@alu.ua.es>
Received: from 84-120-77-228.onocable.ono.com (chistera.yi.org) [84.120.77.228] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1D9uW0-0000Vv-00; Fri, 11 Mar 2005 16:30:00 -0800
Received: from userid 1000 by chistera.yi.org with local (Exim 4.50) 
	  id 1D9uVu-0003oH-3a; Sat, 12 Mar 2005 01:29:54 +0100
Date: Sat, 12 Mar 2005 01:29:53 +0100
From: Adeodato =?iso-8859-1?Q?Sim=F3?= <asp16@alu.ua.es>
To: David Brown <david@davtar.org>, 298148-done@bugs.debian.org
Subject: Re: Bug#298148: kdebase-bin: kcheckpass needs setuid bit for ldap authentication
Message-ID: <20050312002953.GA14394@chistera.yi.org>
Reply-To: 298148@bugs.debian.org,
	Adeodato =?iso-8859-1?Q?Sim=F3?= <asp16@alu.ua.es>
References: <[🔎] 20050305032325.9CE8FB7D7E@aragorn.davtar.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <[🔎] 20050305032325.9CE8FB7D7E@aragorn.davtar.org>
X-No-CC: Please respect my Mail-Followup-To header
User-Agent: Mutt/1.5.8i
Delivered-To: 298148-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-4.8 required=4.0 tests=BAYES_00,FROM_ENDS_IN_NUMS,
	HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

* David Brown [Fri, 04 Mar 2005 20:23:24 -0700]:

  Hello David,

> This may somewhat relate to bug #212212...

> It looks like it is a known issue with kcheckpass and ldap
> authentication that kcheckpass needs to be setuid.  See
> http://lists.fini.net/pipermail/ldap-interop/2005-January/000208.html
> and search for kcheckpass.

> kscreensaver invokes kcheckpass like so:

> kcheckpass -c kscreensaver -m classic -S 13

> This results in:

> Communication breakdown on write

> Once kcheckpass is setuid it works.  According to the post referenced
> above, the real fix is to write a setuid wrapper to access the
> credentials cache.  I don't know if debian is even using that cache; I
> can't find it.

> Regardless, kcheckpass will fail when ldap authentication is used
> currently.  Adding the setuid bit fixes it.  This should probably be
> considered a workaround until a safer, more permanent fix is found.

  As noted on #212212, you should use dpkg-statoverride in the systems
  in which you need a setuid kcheckpass, and hope the provider of
  pam_ccreds to provide a setuid wrapper, as pam_unix does. In fact, I
  tried to see if pam_ccreds is provided by some Debian package, but I
  couldn't find it. If there is, this bug could be reassigned to it.

  I'm closing this bug report.

-- 
Adeodato Simó
    EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
 
We may not return the affection of those who like us, but we always
respect their good judgement.

Reply to:

References:
- Bug#298148: kdebase-bin: kcheckpass needs setuid bit for ldap authentication
  - From: David Brown <david@davtar.org>

Prev by Date: KDE_3_4_BRANCH: kdeaddons/debian
Next by Date: Bug#290473: kdelibs-data: Syntax highlighting doesn't work in .php files
Previous by thread: Bug#298148: kdebase-bin: kcheckpass needs setuid bit for ldap authentication
Next by thread: Bug#296230: Different variables for language and locale
Index(es):
- Date
- Thread