On Mon, 25 Jan 2010 16:13, ans...@43-1.org said: > Yes, it is even quite simple to write such an application: Just call > getgroups(), getpwent(), ... on a system that uses LDAP. If there is no > caching daemon like nscd running, the application will use libnss-ldap > (via glibc's Name Service Switch) which can in turn use gnutls.
That is a broken design. glibc should never ever allow suid processes to run code from external services it is not 100% sure they are clean. I guess libnss_files and the other standard ones might be fine, but LDAP or even LDAPS are very problematic. Such code belongs into a separate process and not into the one of an arbitrary - possible suid - application. > As the application itself does not use openldap, gnutls, or gcrypt there > is no way it could initialize gcrypt. You may consider this a featue - it indicates that there is something severly wrong with the application running on a particular system configuration. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
