[tech] Debian upgrades, LDAP+SSL and setuid()

David Adam zanchey at ucc.gu.uwa.edu.au
Mon Dec 6 23:37:33 WST 2010 

There is a plan afoot to upgrade the various Debian machines we have to 
squeeze, which will become the latest release of Debian at some point in 
the next few months.

One issue I initially discovered when upgrading machines to the 
latest Ubuntu some months ago, and rediscovered this afternoon, is that 
the version of libnss-ldap in these releases causes an issue with our 
LDAP setup, which uses SSL to protect the exchange of password data.

As documented in Debian bugs #566351 [1] and #545414 [2], libnss-ldap 
links against an SSL library which drops privileges for certain 
operations, which makes any binaries which try to setuid fail - such as 
sudo(8) or fusermount(1). The first link features some excellent slinging 
between OpenLDAP and GnuTLS developers.

Anyway, rather than argue about the braindead design [3], there are two 
options for fixing this:

 * Rebuild libnss-ldap against OpenSSL rather than GnuTLS and install it 
   on all our machines. This is a pain when installing and requires us to 
   keep an eye on updates to rebuild the package, but changes the least 
   number of variables.

 * Install libnss-ldapd and nslcd, which provides a separate daemon for 
   all LDAP lookups. This is easier during installation, but libnss-ldapd 
   is much newer software, and if the nscld process goes away problems may 
   occur.

libnss-ldapd also pulls in nscd (a caching daemon for NSS lookups) as a 
recommended package in Debian, but the consensus is that this is likely to 
cause more problems than it solves due to a lack of cache invalidation.

If anyone has convincing arguments one way or another, I'd be keen to hear 
them. At this stage I'm going for libnss-ldapd and possibly installing 
monit or similar to keep nslcd(8) running.

David Adam
UCC Wheel Member
zanchey@

 [1]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566351
 [2]: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545414
 [3]: http://lists.debian.org/debian-devel/2010/03/msg00302.html

More information about the tech mailing list