Brian May wrote: > 2. libgcrypt drops root privileges if called setuid on the assumption > the only reason the program is setuid root is so it can lock memory. > > Unfortunately this breaks every setuid program tat uses PAM when PAM > is configured to use ldap and ldap is configured to use gnutls, > because gnutls uses gcrypt.
An example is pmount, who sometime calls cryptsetup itself relying on gcrypt. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=551540 In that case, the workaround is to call cryptsetup as root, but that doesn't sound right and could lead to more problems... Why gcrypt doesn't leave up to the caller to deal with dropping privileges ? The not-dropping-privileges hack mentioned by Werner Koch in #566351 should be fine enough... Vincent -- Vincent Fourmond, Debian Developer http://vince-debian.blogspot.com/ Comme dit mon tonton: plus on est de cons, plus ça se voit ! -- La Tordue, Où va-t-on Vincent, listening to Planet Telex (Radiohead) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4b96a522.7030...@debian.org
