[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo

Tue, 27 Apr 2010 10:42:24 -0700 

** Description changed:

  On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd'
  field to anything with 'ldap' as the first item breaks the ability to
  become root using 'su' and 'sudo' as anyone but root.
  
  Default nsswitch.conf:
  
  passwd:         compat
  group:          compat
  shadow:         compat
  
  m...@box:~$ sudo uname -a
- [sudo] password for matt: 
+ [sudo] password for matt:
  Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 
GNU/Linux
  
  m...@box:~$ su -
- Password: 
+ Password:
  r...@box:~#
  
  Modified nsswitch.conf with 'ldap' before 'compat':
  
  passwd:         ldap compat
  group:          ldap compat
  shadow:         ldap compat
  
  m...@box:~$ sudo uname -a
  sudo: setreuid(ROOT_UID, user_uid): Operation not permitted
  
  m...@box:~$ su -
- Password: 
+ Password:
  setgid: Operation not permitted
  
  Modified nsswitch.conf with 'ldap' after 'compat':
  
  passwd:         compat ldap
  group:          compat ldap
  shadow:         compat ldap
  
  m...@box:~$ sudo uname -a
- [sudo] password for matt: 
+ [sudo] password for matt:
  Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 
GNU/Linux
  
  m...@box:~$ su -
- Password: 
+ Password:
  r...@box:~#
  
  The same arrangements in nsswitch.conf work as expected in Jaunty and
  earlier releases.
+ 
+ Lucid Release Note:
+ 
+ == NSS via LDAP+SSL breaks setuid applications like sudo ==
+ 
+ Upgrading systems configured to use ldap over ssl as the first service
+ in the nss stack (in nsswitch.conf) leads to a broken nss resolution for
+ setuid applications after the upgrade to Lucid (for example sudo would
+ stop working). There isn't any simple workaround for now. One option is
+ to switch to libnss-ldapd in place of libnss-ldap before the upgrade.
+ Another one consists in using nscd before the upgrade.

** Changed in: ubuntu-release-notes
       Status: New => Confirmed

-- 
NSS using LDAP+SSL breaks setuid applications like su and sudo
https://bugs.launchpad.net/bugs/423252
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to libnss-ldap in ubuntu.

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

Reply via email to