Your message dated Sat, 12 Mar 2005 01:29:53 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Bug#298148: kdebase-bin: kcheckpass needs setuid bit for ldap
authentication
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 5 Mar 2005 03:23:18 +0000
>From [EMAIL PROTECTED] Fri Mar 04 19:23:17 2005
Return-path: <[EMAIL PROTECTED]>
Received: from 67.104.0.163.ptr.us.xo.net (aragorn.davtar.org) [67.104.0.163]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D7Psr-0000Jt-00; Fri, 04 Mar 2005 19:23:17 -0800
Received: from localhost (localhost.localdomain [127.0.0.1])
by aragorn.davtar.org (Postfix) with ESMTP id AF06AB7D75;
Fri, 4 Mar 2005 20:23:29 -0700 (MST)
Received: from aragorn.davtar.org ([127.0.0.1])
by localhost (aragorn [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 29494-10; Fri, 4 Mar 2005 20:23:28 -0700 (MST)
Received: by aragorn.davtar.org (Postfix, from userid 1000)
id 9CE8FB7D7E; Fri, 4 Mar 2005 20:23:25 -0700 (MST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: David Brown <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: kdebase-bin: kcheckpass needs setuid bit for ldap authentication
X-Mailer: reportbug 3.2
Date: Fri, 04 Mar 2005 20:23:24 -0700
Message-Id: <[EMAIL PROTECTED]>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at davtar.org
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: kdebase-bin
Severity: normal
Subject: kdebase-bin: kcheckpass won't use ldap authentication without setuid
Package: kdebase-bin
Version: 4:3.3.2-1
Severity: normal
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (650, 'unstable'), (600, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-2-386
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages kdebase-bin depends on:
ii kdelibs4 4:3.3.2-1 KDE core libraries
ii libart-2.0-2 2.3.17-1 Library of functions for 2D graphi
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libfam0c102 2.7.0-6 client library to control the FAM
ii libgcc1 1:3.4.3-9 GCC support library
ii libice6 4.3.0.dfsg.1-10 Inter-Client Exchange library
ii libidn11 0.5.2-3 GNU libidn library, implementation
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libqt3c102-mt 3:3.3.3-8 Qt GUI Library (Threaded runtime v
ii libsm6 4.3.0.dfsg.1-10 X Window System Session Management
ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library v3
ii libx11-6 4.3.0.dfsg.1-10 X Window System protocol client li
ii libxext6 4.3.0.dfsg.1-10 X Window System miscellaneous exte
ii libxrender1 0.8.3-7 X Rendering Extension client libra
ii libxtst6 4.3.0.dfsg.1-10 X Window System event recording an
ii xlibs 4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu
ii zlib1g 1:1.2.2-4 compression library - runtime
-- no debconf information
More potentially useful stuff:
ii libldap2 2.1.30-3 OpenLDAP libraries
ii libnss-ldap 220-1 NSS module for using LDAP as a naming servic
ii libpam-ldap 169-1 Pluggable Authentication Module allowing LDA
ii kdebase-bin 3.3.2-1 KDE Base (binaries)
ii libpam-modules 0.76-22 Pluggable Authentication Modules for PAM
ii libpam-runtime 0.76-22 Runtime support for the PAM library
ii libpam0g 0.76-22 Pluggable Authentication Modules library
This may somewhat relate to bug #212212...
It looks like it is a known issue with kcheckpass and ldap
authentication that kcheckpass needs to be setuid. See
http://lists.fini.net/pipermail/ldap-interop/2005-January/000208.html
and search for kcheckpass.
kscreensaver invokes kcheckpass like so:
kcheckpass -c kscreensaver -m classic -S 13
This results in:
Communication breakdown on write
Once kcheckpass is setuid it works. According to the post referenced
above, the real fix is to write a setuid wrapper to access the
credentials cache. I don't know if debian is even using that cache; I
can't find it.
Regardless, kcheckpass will fail when ldap authentication is used
currently. Adding the setuid bit fixes it. This should probably be
considered a workaround until a safer, more permanent fix is found.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (650, 'unstable'), (600, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-1-386
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
---------------------------------------
Received: (at 298148-done) by bugs.debian.org; 12 Mar 2005 00:30:00 +0000
>From [EMAIL PROTECTED] Fri Mar 11 16:30:00 2005
Return-path: <[EMAIL PROTECTED]>
Received: from 84-120-77-228.onocable.ono.com (chistera.yi.org) [84.120.77.228]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D9uW0-0000Vv-00; Fri, 11 Mar 2005 16:30:00 -0800
Received: from userid 1000 by chistera.yi.org with local (Exim 4.50)
id 1D9uVu-0003oH-3a; Sat, 12 Mar 2005 01:29:54 +0100
Date: Sat, 12 Mar 2005 01:29:53 +0100
From: Adeodato =?iso-8859-1?Q?Sim=F3?= <[EMAIL PROTECTED]>
To: David Brown <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Subject: Re: Bug#298148: kdebase-bin: kcheckpass needs setuid bit for ldap
authentication
Message-ID: <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED],
Adeodato =?iso-8859-1?Q?Sim=F3?= <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <[EMAIL PROTECTED]>
X-No-CC: Please respect my Mail-Followup-To header
User-Agent: Mutt/1.5.8i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-4.8 required=4.0 tests=BAYES_00,FROM_ENDS_IN_NUMS,
HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
* David Brown [Fri, 04 Mar 2005 20:23:24 -0700]:
Hello David,
> This may somewhat relate to bug #212212...
> It looks like it is a known issue with kcheckpass and ldap
> authentication that kcheckpass needs to be setuid. See
> http://lists.fini.net/pipermail/ldap-interop/2005-January/000208.html
> and search for kcheckpass.
> kscreensaver invokes kcheckpass like so:
> kcheckpass -c kscreensaver -m classic -S 13
> This results in:
> Communication breakdown on write
> Once kcheckpass is setuid it works. According to the post referenced
> above, the real fix is to write a setuid wrapper to access the
> credentials cache. I don't know if debian is even using that cache; I
> can't find it.
> Regardless, kcheckpass will fail when ldap authentication is used
> currently. Adding the setuid bit fixes it. This should probably be
> considered a workaround until a safer, more permanent fix is found.
As noted on #212212, you should use dpkg-statoverride in the systems
in which you need a setuid kcheckpass, and hope the provider of
pam_ccreds to provide a setuid wrapper, as pam_unix does. In fact, I
tried to see if pam_ccreds is provided by some Debian package, but I
couldn't find it. If there is, this bug could be reassigned to it.
I'm closing this bug report.
--
Adeodato Simó
EM: asp16 [ykwim] alu.ua.es | PK: DA6AE621
We may not return the affection of those who like us, but we always
respect their good judgement.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
