apt: segmentation fault [ubuntu 8.04]
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sudo (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
admin_user=$(getent group admin|cut -d: -f4|cut -d, -f1)
sudo -u "$admin_user" echo "dd"
Segmentation fault
for example:
sudo -u rafal echo "dd"
Segmentation fault
/etc/cron.daily# ./apt
a1
a2
a3
a4
a5
a5a
Segmentation fault
Segmentation fault
Segmentation fault
a6
"/etc/cron.
echo "a5a"
if [ -n "$admin_user" ] && [ -x /usr/bin/sudo ] && [ -z "$http_proxy" ] && [ -x /usr/bin/gconftool ]; then
use=$(sudo -u "$admin_user" gconftool --get /system/
host=$(sudo -u "$admin_user" gconftool --get /system/
port=$(sudo -u "$admin_user" gconftool --get /system/
if [ "$use" = "true" ] && [ -n "$host" ] && [ -n "$port" ]; then
export http_proxy="http://
fi
fi
echo "a6"
rafalm (rafalm1980) wrote : | #1 |
Arthur Archnix (arthur-archnix) wrote : | #2 |
I was attempting to update my Hardy system, and had just done "sudo apt-get update", then "sudo apt-get dist-upgrade". My internet connections dropped out while downloading packages. I could not sudo anything after that. All attempts to use sudo resulted in the error "Segmentation fault".
I rebooted into single user mode, did apt-get clean, apt-get update, apt-get dist-upgrade, and then rebooted. Sudo was still broken, and this was in my dmesg:
sudo[5357]: segfault at bf380a74 eip b7ea8b79 esp bf380a58 error
I then, just for kicks, rebooted into single user mode again and deleted everything in /var/cache /tmp /lost+found but that had no effect. I am no looking for the tires on this thing so I can kick them. I don't understand what the original bug report is saying, but it seems to be similar to my problem so I wanted to add this information.
If I can add more please let me know. I don't know how anyone could reproduce this, because I don't understand what has happened. Other than I was running apt at the time, I have no idea what has done this to sudo.
rafalm (rafalm1980) wrote : | #3 |
sudo -u rafal echo "a"
Segmentation fault
strace sudo -u rafal echo "a"
[...]
close(3) = 0
open("/
open("/
fstat64(3, {st_mode=
mmap2(NULL, 54, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7ed4000
close(3)
open("/
open("/
fstat64(3, {st_mode=
mmap2(NULL, 254076, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7c55000
close(3) = 0
geteuid32() = 1000
write(2, "sudo: ", 6sudo: ) = 6
write(2, "must be setuid root", 19must be setuid root) = 19
write(2, "\n", 1
) = 1
exit_group(1) = ?
Process 9903 detached
Tom_OConnor (tom-twinhelix) wrote : | #4 |
open("/
fstat(6, {st_mode=
mmap(NULL, 74784, PROT_READ, MAP_PRIVATE, 6, 0) = 0x7f933043f000
close(6) = 0
access(
open("/
read(6, "\177ELF\
fstat(6, {st_mode=
mmap(NULL, 2209176, PROT_READ|
mprotect(
mmap(0x7f932dc4
mmap(0x7f932dc5
close(6) = 0
open("/
statfs("/selinux", 0x7fff385f3490) = -1 ENOENT (No such file or directory)
open("/
fstat(6, {st_mode=
mmap(NULL, 4096, PROT_READ|
read(6, "rootfs / rootfs rw 0 0\nnone /sys"..., 1024) = 1024
read(6, ",nodev,noexec 0 0\ntmpfs /var/run"..., 1024) = 545
read(6, "", 1024) = 0
close(6) = 0
munmap(
munmap(
read(5, "", 4096) = 0
close(5) = 0
munmap(
stat("/etc/pam.d", {st_mode=
open("/
fstat(5, {st_mode=
mmap(NULL, 4096, PROT_READ|
read(5, "#\n# /etc/pam.
read(5, "", 4096) = 0
close(5) = 0
munmap(
read(4, "", 4096) = 0
close(4) = 0
munmap(
open("/
fstat(4, {st_mode=
mmap(NULL, 4096, PROT_READ|
read(4, "#\n# /etc/pam.d/other - specify t"..., 4096) = 520
stat("/etc/pam.d", {st_mode=
open("/
fstat(5, {st_mode=
mmap(NULL, 4096, PROT_READ|
read(5, "#\n# /etc/pam.
read(5, "", 4096) = 0
close(5) = 0
munmap(
stat("/etc/pam.d", {st_mode=
open("/
fstat(5, {st_mode=
mmap(NULL, 4096, PROT_READ|
rea...
Tom_OConnor (tom-twinhelix) wrote : | #5 |
This only occurs on a system where the users' home directory is mounted on a remote server.
The result of the "admin_
With a working user, ie one with a true home directory:
stat("
getuid() = 0
With the non-working instuser user.
stat("/
And all subsequent system calls fail.
The process then exits with SIGSEGV.
After creating the home directory /home/instuser
strace shows:
stat("/
getuid()
and the process nolonger segfaults.
While this fixes the bug for me, I'm in two minds over whether a similar fix is a good idea for other users.
I'm not so convinced this is a bug at all.
Francis GUDIN (fgudin) wrote : | #6 |
Hi,
this is unrelated: my user's and the target user's home directories both exist locally, and neither are mounted from or exported to elsewhere.
Furthermore, sudo *should not segfault*: exceptional conditions must be handled properly. Especially when we talk about SUID to root programs.
--
Francis
Tom_OConnor (tom-twinhelix) wrote : | #7 |
Francis,
What command are you trying to get sudo to execute? are you specifiying a user to run as?
Can you provide any more information about the specifics of where you encounter the bug, environment, commands, strace,
is there anything in /var/log/syslog at the time of failure? Or in /var/log/auth.log too?
Francis GUDIN (fgudin) wrote : | #8 |
Tom,
I discovered the bug reading cron.daily/apt reports, in the same conditions as rafalm.
Until now, I didn't pay attention to those lines (they belong to auth.log):
Sep 10 11:54:31 pc07 sudo: pam_unix(
Sep 10 11:54:31 pc07 sudo: pam_mount(
Any command wrapped by "sudo -u another_user " segfaults, *except* when targetted at "-u root".
With these two clues, I tried to disable pam_mount temporarily: bingo! The culprit is the "hooking" of pam_mount.so from /etc/pam.
"session optional pam_mount.so"
Removing this entry alone works around the problem.
I don't know enough about PAM to investigate any further without help, though.
I guess you're also using PAM to mount the homedirs from NFS, aren't you ?
--
Francis
Tom_OConnor (tom-twinhelix) wrote : | #9 |
open("/
fstat(5, {st_mode=
mmap(NULL, 4096, PROT_READ|
5bce2d000
read(5, "#\n# /etc/pam.
open("/
Yeah, looks like that's the case on my system.
I also don't know enough about PAM, it's a bit too cryptic for me i think.
Good investigation Francis!
rafalm (rafalm1980) wrote : Re: [Bug 234727] Re: apt: segmentation fault [ubuntu 8.04] | #10 |
I have pam_mount + encrypted /home/user directory
Tom_OConnor wrote:
> Francis,
> What command are you trying to get sudo to execute? are you specifiying a user to run as?
> Can you provide any more information about the specifics of where you encounter the bug, environment, commands, strace,
> is there anything in /var/log/syslog at the time of failure? Or in /var/log/auth.log too?
>
Tom_OConnor (tom-twinhelix) wrote : | #11 |
getent group admin|cut -d: -f4|cut -d, -f1
On my system, returns 'instuser'
on my home system, returns 'tom'
This is the first user who set up the system, and this script automatically assumes that they're the first valid user in the admin group. I'm seeing this sudo error on systems where the local installation user, ie instuser; exists in a local context only, or not at all, and userdel has failed to remove them from the system.
that getent group command might not always return a valid user with a valid home directory.
D J Gardner (djgardner) wrote : | #12 |
On my system I can confirm the pam_mount link (encrypted dir), as sudo -u works fine for a normal user (no enc. directory), just not for me (with enc. directory). However: I've just run:
# ltrace sudo -u david ls
the last part is:
[cut]
setregid(-1, 1877, 2, 0xbfbba668, 0x806e2b0) = 0
vasprintf(
strlen("david") = 5
strlen("TTY=pts/2 ; PWD=/home/david ; US"...) = 58
openlog("sudo", 0, 80) = <void>
vsnprintf(" david : TTY=pts/2 ; PWD=/home"..., 961, "%8s : %s", 0xbfbba5e8) = 69
syslog(5, "%s", " david : TTY=pts/2 ; PWD=/home"...) = <void>
closelog() = <void>
strlen("david") = 5
free(0x806e998) = <void>
umask(022) = 022
pam_start(
pam_set_
pam_set_
pam_set_
pam_set_
pam_setcred(
pam_open_
malloc(8) = 0x807d080
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
Now, what I see here is that there's a free() on a region that's then sent to pam_set_item, pam_setcred, and pam_open_session.
I'd guess this is a good place to look!
David
D J Gardner (djgardner) wrote : | #13 |
I wrote:
> Now, what I see here is that there's a free() on a region that's then sent to ....
Only it seems I can't read. 9d8 != 998 :-( Sorry. That's no help then!
:-(
David
D J Gardner (djgardner) wrote : | #14 |
- 1 line patch for sudo NULL reference checking Edit (581 bytes, text/plain)
I've tracked it down! Patch attached.
There's a call-back from pam_open_session to sudo_conv, and sudo_conv calls strncmp on a null pointer. If the user's not using something that pam_mount needs a password for, then there's no call, and so no crash.
Problem is, that solving this bug reveals another couple of issues, because using sudo -u to a user affected by pam_mount requires a password for the session.
1) This would allow pam_mount to mount something, but the session isn't handled fully in sudo - it's opened then immediatly closed. This probably means that there's no benefit to the program being run of getting that password in the first place, haven't confirmed this though.
2) It also means that every init/cron script that uses sudo -u to that user will ask for a password. This may not be useful!
David.
Martin Pitt (pitti) wrote : | #15 |
David, thanks for tracking this down. So it seems that there are really two independent issues here: (1) pam_verify() being called with a NULL prompt, triggering the crash; and (2) sudo -u not asking for the user's password in cases where you use libpam_mount? Or did you mean that sudo -u *does* ask for the password, but in vain, since it immediately closes the PAM session again (which would then be the real bug)?
BTW, using sudo in init scripts is not common practice or recommended at all. They should use su, and only to system users, which should not ever have an encrypted home directory. So I don't think that this bit is a problem.
Thanks for clarification! Once this is settled, this should be forwarded upstream (first the crash, which is easy enough, and then also your followup problem).
David Tomaschik (matir) wrote : | #16 |
As a related issue: I know that /etc/cron.daily/apt is trying to get http proxy information when it does this, but there really ought to be a mechanism that doesn't involve becoming a standard user to get this information. It's bad to assume that the first account has this information. It's also bad to become a user account, if that can be avoided. Does apt have its own proxy settings?
David Tomaschik (matir) wrote : | #17 |
This bug still persists in the Jaunty Alpha 4.
rafalm (rafalm1980) wrote : | #18 |
David Tomaschik wrote:
> This bug still persists in the Jaunty Alpha 4.
>
hardy also
Jan Engelhardt (jengelh) wrote : | #19 |
Tracked on http://
Lorenzo De Liso (blackz) wrote : | #20 |
Looks like this bug has been fixed since at least (about) Lucid Lynx. Feel free to reopen this bug report if you can still reproduce the problem.
Changed in sudo (Ubuntu): | |
status: | New → Fix Released |
Andy Brody (abrody) wrote : | #21 |
I can reproduce this bug with sudo 1.6.9p10-1ubuntu3.8 and a user whose home directory does not exist. It appears to happen only when sudo does not prompt for a password. It happens on several servers with similar configuration, but not on another 8.04.4 server that doesn't use ldap.
abrody@cato:~$ getent passwd nobody
nobody:
abrody@cato:~$ ls /nonexistent
ls: cannot access /nonexistent: No such file or directory
abrody@cato:~$ sudo -u nobody true
[sudo] password for abrody:
Creating directory '/nonexistent'.
Creating directory '/nonexistent/web'.
abrody@cato:~$ sudo rm -r /nonexistent/
abrody@cato:~$ sudo -u nobody true
Segmentation fault
abrody@cato:~$
# ltrace sudo -u nobody true
[snip]
free(0x629380) = <void>
umask(022) = 022
pam_start(0x41970a, 0x6221d0, 0x61eae0, 0x61eaf8, 0x629380) = 0
pam_set_
pam_set_
pam_set_
pam_set_
pam_setcred(
pam_open_
malloc(16) = 0x6298c0
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
no comment