ports/101275: bug fixed in sudo that prevented use in LDAP user account environment
Patrick Wolfe
pwolfe at employease.com
Mon Jun 25 16:43:36 UTC 2007
Our environment is a mixture of FreeBSD 5, FreeBSD 6 and CentOS 4
systems, running unmodified pam_ldap, nss_ldap, and a modified sudo
1.6.8p12. All user accounts are stored in openldap.
On FreeBSD, I compiled and installed the ports version of sudo
(v1.6.8p12 with LDAP support option enabled), and for some ldap users,
sudo works for a short period of time, but for most users, running "sudo
-i" prompts for a password, then results in:
sudo: uid <myuidnumber> does not exist in the passwd file!
Running the CentOS supplied sudo binary as "sudo -i", I get prompted for
my password, then am informed:
<loginid> is not in the sudoers file. This incident will be reported.
I believe this is because the CentOS supplied sudo does not include LDAP
support. If I compile sudo 1.6.8p12 without modifying it, I get the
same failure as FreeBSD (uid # does not exist in the passwd file!)
sudo appears to be calling the standard getpwuid() system call, which
does utilize nss_ldap and should find the LDAP users. I put debug code
in that calls getpwuid(getuid()) and fprintf() to display the result,
and I learned that after the environment is cleared, the getpwuid() fails.
For some reason, running a simple getpwuid(getuid()) BEFORE the
environment is cleared, works around the issue (I guess that info is
fetched and buffered for later calls to use). This same fix worked on
both CentOS and FreeBSD (on 64-bit amd64 boxes, but not 32-bit i386
boxes - puzzling).
The 1.6.9b1 version I tried, did not have this problem. It did have
other problems, which prevent me from installing it on production
machines. I will try it again on my test systems, so I can report any
bugs I find.
Tom McLaughlin wrote:
> Synopsis: bug fixed in sudo that prevented use in LDAP user account environment
>
> State-Changed-From-To: open->feedback
> State-Changed-By: tmclaugh
> State-Changed-When: Mon Jun 25 15:01:06 UTC 2007
> State-Changed-Why:
> I'm hestitant to commit this patch only because I've been using sudo
> with ldap users without problems. (Other than a know issue with group
> based permissions and nsswitch.) The only difference is I don't use
> pam_ldap at all. Can you give me a little more info about your setup?
> Are you using a pam file for sudo? Have you made any changes to the the
> port's OPTIONS from the defaults?
>
> There is a change in the unreleased SUDO_1_6_9 branch to do something
> similar here:
>
> http://www.sudo.ws/cgi-bin/cvsweb/sudo/sudo.c.diff?r1=1.369.2.6&r2=1.369.2.7&only_with_tag=SUDO_1_6_9&f=h
>
> But before adding that patch I'd like to confirm what the problem is
> first.
>
>
> Responsible-Changed-From-To: freebsd-ports-bugs->tmclaugh
> Responsible-Changed-By: tmclaugh
> Responsible-Changed-When: Mon Jun 25 15:01:06 UTC 2007
> Responsible-Changed-Why:
> I'm hestitant to commit this patch only because I've been using sudo
> with ldap users without problems. (Other than a know issue with group
> based permissions and nsswitch.) The only difference is I don't use
> pam_ldap at all. Can you give me a little more info about your setup?
> Are you using a pam file for sudo? Have you made any changes to the the
> port's OPTIONS from the defaults?
>
> There is a change in the unreleased SUDO_1_6_9 branch to do something
> similar here:
>
> http://www.sudo.ws/cgi-bin/cvsweb/sudo/sudo.c.diff?r1=1.369.2.6&r2=1.369.2.7&only_with_tag=SUDO_1_6_9&f=h
>
> But before adding that patch I'd like to confirm what the problem is
> first.
>
> http://www.freebsd.org/cgi/query-pr.cgi?pr=101275
--
Patrick Wolfe (patrick.wolfe at employease.com)
Production Engineer, ADP Employease
office: 770-325-7724
mobile: 404-213-1453
fax: 770-325-7702
More information about the freebsd-ports-bugs
mailing list