From owner-freebsd-ports-bugs@FreeBSD.ORG Mon Jun 25 16:43:36 2007 Return-Path: X-Original-To: freebsd-ports-bugs@FreeBSD.org Delivered-To: freebsd-ports-bugs@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id D065B16A46C; Mon, 25 Jun 2007 16:43:36 +0000 (UTC) (envelope-from pwolfe@employease.com) Received: from smailbox.eease.com (smailbox.eease.com [209.168.243.64]) by mx1.freebsd.org (Postfix) with ESMTP id A1B9413C45D; Mon, 25 Jun 2007 16:43:36 +0000 (UTC) (envelope-from pwolfe@employease.com) Received: from [10.0.0.25] (deuce.tek.eease.com [10.0.0.25]) (authenticated bits=0) by smailbox.eease.com (8.13.8/8.13.8) with ESMTP id l5PGAxf9014421 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 25 Jun 2007 12:11:01 -0400 (EDT) (envelope-from pwolfe@employease.com) Message-ID: <467FE910.9060708@employease.com> Date: Mon, 25 Jun 2007 12:10:56 -0400 From: Patrick Wolfe User-Agent: Thunderbird 1.5.0.12 (X11/20070604) MIME-Version: 1.0 To: Tom McLaughlin References: <200706251524.l5PFOkaq024422@freefall.freebsd.org> In-Reply-To: <200706251524.l5PFOkaq024422@freefall.freebsd.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/101275: bug fixed in sudo that prevented use in LDAP user account environment X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Jun 2007 16:43:36 -0000 Our environment is a mixture of FreeBSD 5, FreeBSD 6 and CentOS 4 systems, running unmodified pam_ldap, nss_ldap, and a modified sudo 1.6.8p12. All user accounts are stored in openldap. On FreeBSD, I compiled and installed the ports version of sudo (v1.6.8p12 with LDAP support option enabled), and for some ldap users, sudo works for a short period of time, but for most users, running "sudo -i" prompts for a password, then results in: sudo: uid does not exist in the passwd file! Running the CentOS supplied sudo binary as "sudo -i", I get prompted for my password, then am informed: is not in the sudoers file. This incident will be reported. I believe this is because the CentOS supplied sudo does not include LDAP support. If I compile sudo 1.6.8p12 without modifying it, I get the same failure as FreeBSD (uid # does not exist in the passwd file!) sudo appears to be calling the standard getpwuid() system call, which does utilize nss_ldap and should find the LDAP users. I put debug code in that calls getpwuid(getuid()) and fprintf() to display the result, and I learned that after the environment is cleared, the getpwuid() fails. For some reason, running a simple getpwuid(getuid()) BEFORE the environment is cleared, works around the issue (I guess that info is fetched and buffered for later calls to use). This same fix worked on both CentOS and FreeBSD (on 64-bit amd64 boxes, but not 32-bit i386 boxes - puzzling). The 1.6.9b1 version I tried, did not have this problem. It did have other problems, which prevent me from installing it on production machines. I will try it again on my test systems, so I can report any bugs I find. Tom McLaughlin wrote: > Synopsis: bug fixed in sudo that prevented use in LDAP user account environment > > State-Changed-From-To: open->feedback > State-Changed-By: tmclaugh > State-Changed-When: Mon Jun 25 15:01:06 UTC 2007 > State-Changed-Why: > I'm hestitant to commit this patch only because I've been using sudo > with ldap users without problems. (Other than a know issue with group > based permissions and nsswitch.) The only difference is I don't use > pam_ldap at all. Can you give me a little more info about your setup? > Are you using a pam file for sudo? Have you made any changes to the the > port's OPTIONS from the defaults? > > There is a change in the unreleased SUDO_1_6_9 branch to do something > similar here: > > http://www.sudo.ws/cgi-bin/cvsweb/sudo/sudo.c.diff?r1=1.369.2.6&r2=1.369.2.7&only_with_tag=SUDO_1_6_9&f=h > > But before adding that patch I'd like to confirm what the problem is > first. > > > Responsible-Changed-From-To: freebsd-ports-bugs->tmclaugh > Responsible-Changed-By: tmclaugh > Responsible-Changed-When: Mon Jun 25 15:01:06 UTC 2007 > Responsible-Changed-Why: > I'm hestitant to commit this patch only because I've been using sudo > with ldap users without problems. (Other than a know issue with group > based permissions and nsswitch.) The only difference is I don't use > pam_ldap at all. Can you give me a little more info about your setup? > Are you using a pam file for sudo? Have you made any changes to the the > port's OPTIONS from the defaults? > > There is a change in the unreleased SUDO_1_6_9 branch to do something > similar here: > > http://www.sudo.ws/cgi-bin/cvsweb/sudo/sudo.c.diff?r1=1.369.2.6&r2=1.369.2.7&only_with_tag=SUDO_1_6_9&f=h > > But before adding that patch I'd like to confirm what the problem is > first. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=101275 -- Patrick Wolfe (patrick.wolfe@employease.com) Production Engineer, ADP Employease office: 770-325-7724 mobile: 404-213-1453 fax: 770-325-7702