Home / ubuntu / Questions / 106642
Accepted
David R.
Asked: 2012-02-23 11:00:05 +0800 CST

How to fix sudo: setreuid(ROOT_UID, user_uid): Operation not permitted error?

  • 772

I am using LDAP authentication on my Ubuntu 11.10 server. I installed libpam-ldap, and configured things accordingly. It works great, except that I get this error every once in a while when I try to sudo:

sudo: setreuid(ROOT_UID, user_uid): Operation not permitted

I know I have sudoers set up correctly, since it works most of the time. It's not just my log in either, others have the same problem when I have it. When this error is occurring, I can't ssh in with my regular system user at all. When I sign in directly, I can't get any gnome-terminal to start.

Once I restart the server, the problem goes away. 'Course, that's not a solution, if it was a prod server, I'd be in trouble.

How do I fix this?

Edit 3/1/12: I just figured out that if stop and start the nscd service, the problem goes away.

service nscd stop
service nscd start

Not much of a solution since I have to be logged into the server directly, not via ssh.

sudo authentication ldap

2 Answers

  1. Best Answer

    This is a known bug that was introduced when Debian (and therefore Ubuntu) switched from using OpenSSL to GnuTLS with OpenLDAP because of the licensing difficulties with OpenSSL. The problem is with the way libgcrypt (the current crypto backend for GnuTLS) initializes. The problem has been around since Ubuntu 9.10 and hasn't really been addressed because upstream GnuTLS is switching from libgcrypt (which evidently has other problems as well) to libnettle. Until this change makes it downstream, there are three possible work arounds, all of which are enumerated in the bug report above.

    1. Compile libgnutls26 from source to use libnettle instead of libgcrypt
    2. Compile libldap from source to use openssl instead of gnutls26
    3. Use libnss-ldapd instead of libnss-ldap. This has several variations. First use libpam-ldap which pulls in libnns-ldap as a dependency which makes configuration complicated. And second, use libpam-ldapd which is not complete. It especially lacks all the pam_* configurations which allow limiting subsets of users. In order to overcome this deficiency you could use the nssov overlay with slapd, but this is not included in slapd with Ubuntu (So you would need to compile from source). libpam-ldapd uses the nslcd daemon to handle the ldap lookups; it therefore uses /etc/nslcd.conf instead of /etc/ldap for configuration. Of particular note, you could use the pam_authz_search to restrict authorization. See man nslcd.conf for details. There is also a pretty good howto here, and here if you need to configure startTLS.

    UPDATE: As of 5/29/2012 a bug fix was available in the proposed repository for Lucid, Natty, and Oneiric. This fixed the issues with LDAP logins; however, as of 9/6/2012 this new patch has been shown to break other packages1, and has been removed. Also, as documented in this bug, the workaround using nscd, no longer works at all. This is an unfortunate regression, and worse, the problem isn't really fixed in Precise and Quantal. Ultimately, the only real fix is to ditch libgcrypt11 in favor libnettle4. The newer libgnutls28 in Precise and Quantal already do this, but libldap still uses libgnutls26.

    The instructions to compile libgnutls26 from source are explained in comments 22, 23, and 24 in this bug report. But the instructions seem to only work for Precise.

    • 5

  2. An insecure measure: disable SSL

    • 0