** Description changed: == Regression details == - Discovered in version: 12.04 LTS - Last known good version: depends. 9.04 Jaunty the last one before a work-around became necessary. 11.10 was the last one that worked when you used the work-around. + Discovered in version: 2.12.14-5ubuntu2 (Ubuntu 12.04 LTS) + Last known good version: 2.10.5-1ubuntu3 (Ubuntu 11.10) + + Note that a work-around was required by libgnutls26 2.10.5-1ubuntu3 and + that work-around started to be required by an earlier version and stopped + helping when 2.12.14-5ubuntu2 is used. If your account is an LDAP one and your LDAP client connects to its LDAP server via SSL then running setuid programs from your account fail since libgcrypt11 is horribly broken and upstream GnuTLS no longer recommends using it as the backend crypto library: http://lists.debian.org/debian-legal/2011/02/msg00006.html In the past it was possible to work around this by using nscd but that work around no longer has any effect. When I rebuild gnutls26 with nettle I am able to use setuid binaries from my LDAP account which connects via SSL to its LDAP server. Reproducing: 1. Install an OpenLDAP server that speaks LDAP over SSL, see https://help.ubuntu.com/10.04/serverguide/C/openldap-server.html for details. 2. Install Ubuntu 12.04 and configure it to be an LDAP client that connects via to its LDAP server via SSL. 3. Log into the Ubuntu 12.04 created in step using an LDAP account not an account in /etc/passwd. 4. Attempt to use sudo. You will see unexpected results: nutz@dubnium:~$ sudo id [sudo] password for nutz: sudo: setresuid(ROOT_UID, ROOT_UID, ROOT_UID): Operation not permitted sudo: unable to open /var/lib/sudo/nutz/1: Operation not permitted sudo: unable to set gid to runas gid 0: Operation not permitted sudo: unable to execute /usr/bin/id: Operation not permitted nutz@dubnium:~$ 5. Apply patched version of gnutls26, see attached branch. 6. Attempt to use sudo. You will see expected results: nutz@dubnium:~$ sudo id [sudo] password for nutz: uid=0(root) gid=0(root) groups=0(root) ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: libgnutls26 2.12.14-5ubuntu2 ProcVersionSignature: Ubuntu 3.2.0-12.21-generic 3.2.2 Uname: Linux 3.2.0-12-generic i686 ApportVersion: 1.91-0ubuntu1 Architecture: i386 Date: Fri Feb 3 16:22:47 2012 InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Release i386 (20111011) ProcEnviron: PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gnutls26 UpgradeStatus: No upgrade log present (probably fresh install)
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/926350 Title: LDAP account via SSL cannot use setuid binaries until gnutls26 is rebuilt with nettle not libgcrypt11 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/926350/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
