Ubuntu
libnss-ldap package

/usr/bin/id does not show ldap groups

Bug #771698 reported by Thomas Schweikle
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libnss-ldap (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

We've found a bug with libnss:
Configure your system to use /etc-files then ldap, nis, or whatever. Have your user in some local groups, *and* in some ldap, nis, whatever only groups. Then logoff, logon again. Do "getent group". All groups are listed -- local ones and the ldap, nis, other ones. Now do "id". Only local groups are shown. You are not a member of any ldap, nis, orwhatever defined group!
This is quite bad, mainly, if groups are defined to disallow users access.

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: apport 1.20.1-0ubuntu5
ProcVersionSignature: Ubuntu 2.6.38-8.42-generic-pae 2.6.38.2
Uname: Linux 2.6.38-8-generic-pae i686
Architecture: i386
CrashReports:
 600:2023:2023:836713:2011-04-13 23:21:10.000000000 +0200:2011-04-13 23:21:08.000000000 +0200:/var/crash/_usr_bin_krb5-auth-dialog.2023.crash
 600:0:0:470392:2011-04-08 11:44:16.000000000 +0200:2011-04-08 11:44:14.000000000 +0200:/var/crash/_usr_sbin_usbipd.0.crash
 600:0:0:19236:2011-04-07 21:07:28.000000000 +0200:2011-04-07 21:07:27.000000000 +0200:/var/crash/_usr_bin_wdm.0.crash
Date: Wed Apr 27 10:54:09 2011
InstallationMedia: Ubuntu-Server 10.04 LTS "Lucid Lynx" - Release i386 (20100427)
PackageArchitecture: all
ProcEnviron:
 LANGUAGE=en_US:en
 LANG=en_US.UTF-8
 SHELL=/bin/zsh
SourcePackage: apport
UpgradeStatus: Upgraded to natty on 2011-02-03 (82 days ago)

Revision history for this message
Thomas Schweikle (tps) wrote :
Revision history for this message
Thomas Schweikle (tps) wrote :

It was necessary to submit this bug with a "dummy" package, because it was not possible to give apport the correct package name. It just told over and over again about "unknown package".

The bug is active since yesterday, 26th, April 2011. We've noticed this bug first 27th, April 2011.

We've found that it affects:
Ubuntu 10.04.2 LTS
Ubuntu 10.10
Ubuntu 11.04

It is a security vulnerability, if groups are used to disallow access.

Jamie Strandboge (jdstrand)
affects: ubuntu → libnss-ldap (Ubuntu)
summary: - https://bugs.launchpad.net/ubuntu/+source/apport/+filebug/0daa4734-70ac-11e0-a32f-002481e7f48a?
+ /usr/bin/id does not show ldap groups
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I am unmarking this as a security issue. If a user is a part of a group that is listed in getent, the user is supposed to be in that group and any DAC checks should be checking for that. The fact that id shows fewer groups is not a security issue-- the user should have fewer privileges than with the intended ldap groups.

Also, for a developer to help with this, please attach your pam configuration and nsswitch.conf as a start.

security vulnerability: yes → no
visibility: private → public
Changed in libnss-ldap (Ubuntu):
status: New → Incomplete
Revision history for this message
Thomas Schweikle (tps) wrote :
Revision history for this message
Thomas Schweikle (tps) wrote :

> The fact that id shows fewer groups is not a security issue
> -- the user should have fewer privileges than with the
> intended ldap groups.

This is only correct as long as belonging to a group grants additional rights. It is not correct any more if belonging to a group revoked rights. The user this way has, since he isn't seen in this particular group any more, additional rights, he wouldn't have if he was part of the group in question. We're using such a scheme for trainees. They are part of the group, but being part of the group "trainee" revokes some rights they would have if they where not part of the group "trainee".

In our special case this doesn't matter: both groups are derived by ldap. Since pam doesn't question ldap any more for groups the user is in, rights are not granted and not revoked --- most people do not have any rights to do anything ... :-(

Revision history for this message
Thomas Schweikle (tps) wrote :

If I search ldap using "ldapsearch" I do get all defined groups and users. Accessing ldap via "getent (passwd|group)" I do again get all groups or users.
using "id" does not give back all groups a user belongs to. The system behaves, as if there are only local groups available.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for libnss-ldap (Ubuntu) because there has been no activity for 60 days.]

Changed in libnss-ldap (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Thomas Schweikle (tps) wrote :

It seems fixed since.

Revision history for this message
Thomas Schweikle (tps) wrote :

Bugreport can be closed.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.