Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
News and Announcements / Re: Zentyal 3.0 Roadmap published
« on: February 11, 2012, 09:05:36 pm »
Some explanations:
With Ubuntu 10.04 (through 11.10)
pam_ldap.so is linked to libgnutls26 which is linked to libgcrypt11
If you log in using an ldap user:
* sudo will work if the ldap connection is non-encrypted (does not use the libgcrypt code which drops setuid)
* sudo will work if the ldap connection is encrypted plus you are running nscd (I'm not really sure why this works, I haven't taken the time to study it)
* sudo will not work if the ldap connection is encrypted and you are not running nscd
With Ubuntu 12.04
pam_ldap.so is linked to libgnutls26 which is still linked to libgcrypt11 (but it's an updated libgnutls26 which could be recompiled to not use libgcrypt11)
* sudo will not work if the ldap connection is encrypted regardless of nscd running or not.
* sudo will work if the ldap connection is not encrypted.
sudo is not the only program, /usr/bin/at has the same issue, basically all setuid binaries do.
When I rebuild gnutls26 without the configuration option to use libgcrypt11 it switches to using libnettle4 but that is linked against libhogweed which is linked against libgmp which is licensed under the Lesser GPL version 3. Debian does not want their main repository to contain any LGPLv3 code.
There was an alternative fix which is to delete a call to the initialization code in libgcrypt11 at the point where thread callbacks entered the libgcrypt11 library but the full effects of making that change were not understood well enough to consider it harmless. It was proposed that a new API with a second thread callback entry point that did not drop setuid would be added but that was rejected on the grounds that they were going to switch GnuTLS to stop using libgcrypt11 and use nettle instead. See
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566351#112
Other Linux distributions avoid all of this by linking pam_ldap.so against libnss3 instead of gnutls.
With Ubuntu 10.04 (through 11.10)
pam_ldap.so is linked to libgnutls26 which is linked to libgcrypt11
If you log in using an ldap user:
* sudo will work if the ldap connection is non-encrypted (does not use the libgcrypt code which drops setuid)
* sudo will work if the ldap connection is encrypted plus you are running nscd (I'm not really sure why this works, I haven't taken the time to study it)
* sudo will not work if the ldap connection is encrypted and you are not running nscd
With Ubuntu 12.04
pam_ldap.so is linked to libgnutls26 which is still linked to libgcrypt11 (but it's an updated libgnutls26 which could be recompiled to not use libgcrypt11)
* sudo will not work if the ldap connection is encrypted regardless of nscd running or not.
* sudo will work if the ldap connection is not encrypted.
sudo is not the only program, /usr/bin/at has the same issue, basically all setuid binaries do.
When I rebuild gnutls26 without the configuration option to use libgcrypt11 it switches to using libnettle4 but that is linked against libhogweed which is linked against libgmp which is licensed under the Lesser GPL version 3. Debian does not want their main repository to contain any LGPLv3 code.
There was an alternative fix which is to delete a call to the initialization code in libgcrypt11 at the point where thread callbacks entered the libgcrypt11 library but the full effects of making that change were not understood well enough to consider it harmless. It was proposed that a new API with a second thread callback entry point that did not drop setuid would be added but that was rejected on the grounds that they were going to switch GnuTLS to stop using libgcrypt11 and use nettle instead. See
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566351#112
Other Linux distributions avoid all of this by linking pam_ldap.so against libnss3 instead of gnutls.
2
News and Announcements / Re: Zentyal 3.0 Roadmap published
« on: February 11, 2012, 08:45:28 pm »
dear ichat, I'm afraid that the issue is not one of technology so much but of policy. I posted a known fix into a PPA but it causes software license issues. Unless the license issues are resolved there is a good chance 12.04 will ship with the bug in this report
https://bugs.launchpad.net/bugs/926350
The issue is discussed here:
http://lists.debian.org/debian-legal/2011/02/msg00012.html
Subject: Re: LGPL library using only LGPL-parts of partially GPL shared library (gnutls, nettle)
From: Andreas Metzler <ametzler@downhill.at.eu.org>
Date: Sun, 20 Feb 2011 11:23:37 +0100
... Nettle's public key library (libhogweed) uses and links against
libgmp, which is LGPLv3+. Therefore switching gnutls from gcrypt to
nettle would break GPLv2-compatibility (GPLv2 without the "or any
later version " clause). ...
https://bugs.launchpad.net/bugs/926350
The issue is discussed here:
http://lists.debian.org/debian-legal/2011/02/msg00012.html
Subject: Re: LGPL library using only LGPL-parts of partially GPL shared library (gnutls, nettle)
From: Andreas Metzler <ametzler@downhill.at.eu.org>
Date: Sun, 20 Feb 2011 11:23:37 +0100
... Nettle's public key library (libhogweed) uses and links against
libgmp, which is LGPLv3+. Therefore switching gnutls from gcrypt to
nettle would break GPLv2-compatibility (GPLv2 without the "or any
later version " clause). ...
3
News and Announcements / Re: Zentyal 3.0 Roadmap published
« on: February 07, 2012, 04:38:04 pm »
Please be aware the Ubuntu 12.04 LTS has a bug which affects LDAP.
https://bugs.launchpad.net/bugs/926350
https://bugs.launchpad.net/bugs/926350
Pages: [1]