Date: Wed, 2 Aug 2006 18:21:52 GMT From: Patrick Wolfe <pwolfe@employease.com> To: freebsd-gnats-submit@FreeBSD.org Subject: i386/101275: bug fixed in sudo that prevented use in LDAP user account environment Message-ID: <200608021821.k72ILqdv021399@www.freebsd.org> Resent-Message-ID: <200608021830.k72IUH3d080300@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 101275
>Category: i386
>Synopsis: bug fixed in sudo that prevented use in LDAP user account environment
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-i386
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Aug 02 18:30:16 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Patrick Wolfe
>Release: 6.1
>Organization:
Employease Inc
>Environment:
FreeBSD kobe.tek.eease.com 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May 7 04:42:56 UTC 2006 root@opus.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP i386
>Description:
Our network uses LDAP login authentication. It's working fine on CentOS 4.3,
FreeBSD 5.4 and FreeBSD 6.1, except on the FreeBSD boxes, sudo V1.6.8p12 (from
the ports tree) only works if the user has an entry in the local password file.
LDAP accounts get the error message "uid ##### does not exist in the passwd file".
I did some troubleshooting, and discovered that if I comment out line 174 of file sudo.c (environ = zero_env(envp);) sudo works for ldap accounts.
I searched for the use of "environ" variable, and learned that line 174 of sudo.c, "environ = zero_env(envp);", is not needed at all, since the value of environ is never used before it's reassigned later at line 414.
I have reported this to the SUDO maintainers as well, but thought the FreeBSD ports maintainers and any other FREEBSD/LDAP users might like to know about this fix as well.
Attached is a simple patch to fix the problem.
>How-To-Repeat:
- configure a FreeBSD box to use pam_ldap and nss_ldap for centralized network account management
- login to said box using an account that is defined in LDAP database, NOT in the local /etc/passwd file.
- attempt to run "sudo"
- stare in amazement when sudo reports your uid is not found in /etc/passwd (well DUH!)
>Fix:
Apply this patch
*** sudo.c.orig Wed Aug 2 14:13:27 2006
--- sudo.c Wed Aug 2 14:18:17 2006
***************
*** 171,177 ****
#endif /* HAVE_GETPRPWNAM && HAVE_SET_AUTH_PARAMETERS */
/* Zero out the environment. */
! environ = zero_env(envp);
if (geteuid() != 0)
errx(1, "must be setuid root");
--- 171,183 ----
#endif /* HAVE_GETPRPWNAM && HAVE_SET_AUTH_PARAMETERS */
/* Zero out the environment. */
! /*
! * after the call to zero_env, all later calls to
! * getpwuid(getuid()) are broken for NON-LOCAL accounts,
! * and besides that, the value assigned to environ is NEVER USED.
! * ... pjw 2006-08-02
! */
! /*environ = zero_env(envp);*/
if (geteuid() != 0)
errx(1, "must be setuid root");
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200608021821.k72ILqdv021399>