Fwd: Bug#552433: libnss-ldapd: ignores case of uids

Dear stable release team,

A user reported a bug (#552433) against libnss-ldapd which causes some
problems and asked if a fix can be made available in a stable update.

I can probably backport the fix to version 0.6.7.1 but I wanted to know
if such a fix will be considered a candidate for proposed-updates before
putting in the effort.

I'm not 100% sure I completely agree with the severity but in a
multi-user system one user can "pollute" the nscd cache which causes
problems for another user user which is not good. A little more info is
in the bugreport.

Btw, the commit that implements this functionality can be found here:
http://arthurdejong.org/viewvc/nss-pam-ldapd?view=rev&revision=934
I haven't tested yet if it applies correctly to 0.6.7.1 but it is not
very small  (9 files changed, 133 insertions, 151 deletions, excluding
documentation and tests).

Thanks.

--
-- arthur - adejong@... - http://people.debian.org/~adejong --

[Arthur de Jong]
> Dear stable release team,
>
> A user reported a bug (#552433) against libnss-ldapd which causes some
> problems and asked if a fix can be made available in a stable update.
>
> I can probably backport the fix to version 0.6.7.1 but I wanted to know
> if such a fix will be considered a candidate for proposed-updates before
> putting in the effort.

I really hope you find time to fix this in Lenny, as it affects Debian
Edu.  The issue is also a security issue, where users can by-pass
netgroup based limitations by changing the case of the username they use
when logging in.  See
<URL: http://bugs.skolelinux.org/show_bug.cgi?id=1383 > for more
information about that facet of this problem.

Happy hacking,
--
Petter Reinholdtsen


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Thu, 2009-11-05 at 17:32 +0100, Petter Reinholdtsen wrote:
> I really hope you find time to fix this in Lenny, as it affects Debian
> Edu.  The issue is also a security issue, where users can by-pass
> netgroup based limitations by changing the case of the username they use
> when logging in.  See
> <URL: http://bugs.skolelinux.org/show_bug.cgi?id=1383 > for more
> information about that facet of this problem.

Thanks for pointing this out and providing the link. I will contact the
security team and prepare an update.

It is strange though that the group membership is lost because I would
think those lookups would also be case-insensitive. I noticed the
case-insensitive problem before (that's why it's fixed in 0.6.11) but
not the group-membership problem.

--
-- arthur - adejong@... - http://people.debian.org/~adejong --

[Arthur de Jong]
> Thanks for pointing this out and providing the link. I will contact
> the security team and prepare an update.

Great. :)

> It is strange though that the group membership is lost because I
> would think those lookups would also be case-insensitive. I noticed
> the case-insensitive problem before (that's why it's fixed in
> 0.6.11) but not the group-membership problem.

Netgroup membership is assosiated with username strings in the
netgroup objects, so I guess a string compare is the cause of the
group problem.

Happy hacking,
--
Petter Reinholdtsen


--
To UNSUBSCRIBE, email to debian-release-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...