ports/101275: bug fixed in sudo that prevented use in LDAP user account environment

Mon Jun 25 16:43:36 UTC 2007

Our environment is a mixture of FreeBSD 5, FreeBSD 6 and CentOS 4 
systems, running unmodified pam_ldap, nss_ldap, and a modified sudo 
1.6.8p12.  All user accounts are stored in openldap.

On FreeBSD, I compiled and installed the ports version of sudo 
(v1.6.8p12 with LDAP support option enabled), and for some ldap users, 
sudo works for a short period of time, but for most users, running "sudo 
-i" prompts for a password, then results in:

sudo: uid <myuidnumber> does not exist in the passwd file!

Running the CentOS supplied sudo binary as "sudo -i", I get prompted for 
my password, then am informed:

<loginid> is not in the sudoers file.  This incident will be reported.

I believe this is because the CentOS supplied sudo does not include LDAP 
support.  If I compile sudo 1.6.8p12 without modifying it, I get the 
same failure as FreeBSD (uid # does not exist in the passwd file!)

sudo appears to be calling the standard getpwuid() system call, which 
does utilize nss_ldap and should find the LDAP users.  I put debug code 
in that calls getpwuid(getuid()) and fprintf() to display the result, 
and I learned that after the environment is cleared, the getpwuid() fails.

For some reason, running a simple getpwuid(getuid()) BEFORE the 
environment is cleared, works around the issue (I guess that info is 
fetched and buffered for later calls to use).  This same fix worked on 
both CentOS and FreeBSD (on 64-bit amd64 boxes, but not 32-bit i386 
boxes - puzzling).

The 1.6.9b1 version I tried, did not have this problem.  It did have 
other problems, which prevent me from installing it on production 
machines.  I will try it again on my test systems, so I can report any 
bugs I find.

Tom McLaughlin wrote:
> Synopsis: bug fixed in sudo that prevented use in LDAP user account environment
> 
> State-Changed-From-To: open->feedback
> State-Changed-By: tmclaugh
> State-Changed-When: Mon Jun 25 15:01:06 UTC 2007
> State-Changed-Why: 
> I'm hestitant to commit this patch only because I've been using sudo
> with ldap users without problems.  (Other than a know issue with group
> based permissions and nsswitch.)  The only difference is I don't use
> pam_ldap at all.  Can you give me a little more info about your setup?
> Are you using a pam file for sudo?  Have you made any changes to the the
> port's OPTIONS from the defaults?
> 
> There is a change in the unreleased SUDO_1_6_9 branch to do something
> similar here:
> 
> http://www.sudo.ws/cgi-bin/cvsweb/sudo/sudo.c.diff?r1=1.369.2.6&r2=1.369.2.7&only_with_tag=SUDO_1_6_9&f=h
> 
> But before adding that patch I'd like to confirm what the problem is
> first.
> 
> 
> Responsible-Changed-From-To: freebsd-ports-bugs->tmclaugh
> Responsible-Changed-By: tmclaugh
> Responsible-Changed-When: Mon Jun 25 15:01:06 UTC 2007
> Responsible-Changed-Why: 
> I'm hestitant to commit this patch only because I've been using sudo
> with ldap users without problems.  (Other than a know issue with group
> based permissions and nsswitch.)  The only difference is I don't use
> pam_ldap at all.  Can you give me a little more info about your setup?
> Are you using a pam file for sudo?  Have you made any changes to the the
> port's OPTIONS from the defaults?
> 
> There is a change in the unreleased SUDO_1_6_9 branch to do something
> similar here:
> 
> http://www.sudo.ws/cgi-bin/cvsweb/sudo/sudo.c.diff?r1=1.369.2.6&r2=1.369.2.7&only_with_tag=SUDO_1_6_9&f=h
> 
> But before adding that patch I'd like to confirm what the problem is
> first.
> 
> http://www.freebsd.org/cgi/query-pr.cgi?pr=101275

-- 

Patrick Wolfe (patrick.wolfe at employease.com)
Production Engineer, ADP Employease

office: 770-325-7724
mobile: 404-213-1453
fax:    770-325-7702