Ubuntu
nss-pam-ldapd package

nslcd drops supplemental groups when dropping privileges

Bug #1020303 reported by ekilfoil on 2012-07-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	nss-pam-ldapd (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

When nslcd drops privileges at startup, it calls setgroups(0, NULL) rather than the expected initgroups("username", gid). This causes nslcd not to be able to read files (such as TLS certificates) if they are owned by one of the supplemental groups specified in the /etc/group file.

If it matters, nscd works as expected by calling getgrouplist() and then the appropriate setgroups() with the group list when it drops privileges.

The debug output from nslcd shows this happening:

nslcd: DEBUG: setgroups(0,NULL) done
nslcd: DEBUG: setgid(112) done
nslcd: DEBUG: setuid(106) done

and it appears to do this intentionally in nslcd.c:

/* drop all supplemental groups */
if (setgroups(0,NULL)<0)

Related branches

lp:debian/experimental/nss-pam-ldapd

Revision history for this message

Arthur de Jong (adejong) wrote on 2012-11-27:

This was changes in 0.8.11 which was uploaded as 0.8.11-1 to Debian experimental (in experimental mostly to avoid problems for the upcoming Debian stable release).

Revision history for this message

Launchpad Janitor (janitor) wrote on 2013-05-06:

This bug was fixed in the package nss-pam-ldapd - 0.8.13-1

---------------
nss-pam-ldapd (0.8.13-1) unstable; urgency=low

  * New upstream release
    - include an extra sanity check to ensure not too many file
      descriptors are open
    - fix handling of gid configuration option if it listed before the uid
      option
    - return NSS_STATUS_TRYAGAIN on zero-length (but not-NULL) buffer (thanks
      Jakub Hrozek)
    - provide an _nss_ldap_version symbol in the NSS module to help debug
      problems with a newer nslcd
    - retry updating the lastChange attribute with the normal nslcd LDAP
      connection if the update with the user's connection failed
    - avoid processing passwd_byuid requests for uids below nss_min_uid
    - fix a few minor or very unlikely to occur memory leaks
    - miscellaneous minor changes, fixes and compatibility improvements
  * drop 01-fix-set-usec-instead-of-sec.patch which is part of 0.8.13
  * remove compatibility code that converted nss-ldapd.conf to nslcd.conf
    for upgrading from pre-0.7 versions of nss-ldapd (thanks Dominik George)
  * remove code for fixing permissions when upgrading from a pre-0.6.7.1
    version
  * updated Turkish debconf translation by Atila KOÇ (closes: #701067)
  * drop Richard A Nelson from uploaders
  * add build dependency on autotools-dev to ensure config.sub and
    config.guess are automatically updated during build

-- Arthur de Jong <email address hidden> Sun, 05 May 2013 20:00:00 +0200

Changed in nss-pam-ldapd (Ubuntu):
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntunss-pam-ldapd package