sudo stopped being able to authenticate after upgrade

Automatically imported from Debian bug report #344034 http://bugs.debian.org/344034

Message-ID: <email address hidden>
Date: Mon, 19 Dec 2005 12:05:39 -0300
From: Maximiliano Curia <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: sudo stopped being able to authenticate after upgrade

--===============1574481105==
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Package: sudo
Version: 1.6.8p9-4
Severity: grave
Justification: renders package unusable

After upgrade, sudo fails to authenticate in the same setup where it had
being working before.

sudo logs this to syslog:

Dec 19 11:50:01 localhost sudo: maxy : pam_authenticate:
Authentication service cannot retrieve authentication info. ; TTY=pts/5
; PWD=/home/maxy ; USER=root ; COMMAND=/usr/bin/aptitude

Doing a downgrade makes it to work again.

I use ldap for authentication. I'm sending the sudo pam config files as an
attachment.

-- System Information:
Debian Release: testing/unstable
  APT prefers proposed-updates
  APT policy: (500, 'proposed-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-2-686
Locale: LANG=es_AR, LC_CTYPE=es_AR (charmap=ISO-8859-1)

Versions of packages sudo depends on:
ii libc6 2.3.5-8.1 GNU C Library: Shared libraries an
ii libldap2 2.1.30-12 OpenLDAP libraries
ii libpam-modules 0.79-3 Pluggable Authentication Modules f
ii libpam0g 0.79-3 Pluggable Authentication Modules l

sudo recommends no packages.

-- no debconf information

--===============1574481105==
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="common-auth"

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth required pam_ldap.so use_first_pass
auth required pam_permit.so

--===============1574481105==
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="common-account"

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#

account [success=1 default=ignore] pam_unix.so
account required pam_ldap.so
account required pam_permit.so

--===============1574481105==
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bi...

Message-Id: <email address hidden>
Date: Fri, 30 Dec 2005 09:10:31 -0800
From: Bdale Garbee <email address hidden>
To: <email address hidden>
Subject: Bug#344034: fixed in sudo 1.6.8p12-1

Source: sudo
Source-Version: 1.6.8p12-1

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo-ldap_1.6.8p12-1_i386.deb
  to pool/main/s/sudo/sudo-ldap_1.6.8p12-1_i386.deb
sudo_1.6.8p12-1.diff.gz
  to pool/main/s/sudo/sudo_1.6.8p12-1.diff.gz
sudo_1.6.8p12-1.dsc
  to pool/main/s/sudo/sudo_1.6.8p12-1.dsc
sudo_1.6.8p12-1_i386.deb
  to pool/main/s/sudo/sudo_1.6.8p12-1_i386.deb
sudo_1.6.8p12.orig.tar.gz
  to pool/main/s/sudo/sudo_1.6.8p12.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <email address hidden> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 28 Dec 2005 13:49:10 -0700
Source: sudo
Binary: sudo-ldap sudo
Architecture: source i386
Version: 1.6.8p12-1
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <email address hidden>
Changed-By: Bdale Garbee <email address hidden>
Description:
 sudo - Provide limited super user privileges to specific users
 sudo-ldap - Provide limited super user privileges to specific users
Closes: 342948 344034
Changes:
 sudo (1.6.8p12-1) unstable; urgency=low
 .
   * new upstream version, closes: #342948 (CVE-2005-4158)
   * add env_reset to the sudoers file we create if none already exists,
     as a further precaution in response to discussion about CVS-2005-4158
   * split ldap support into a new sudo-ldap package. I was trying to avoid
     doing this, but the impact of going from 4 to 17 linked shlibs on the
     autobuilder chroots is sufficient motivation for me.
     closes: #344034
Files:
 6a1f51b30730dbe9a2402814242c09e8 591 admin optional sudo_1.6.8p12-1.dsc
 b29893c06192df6230dd5f340f3badf5 585643 admin optional sudo_1.6.8p12.orig.tar.gz
 8df19a66299fd77fa2ec43e6d0802382 28480 admin optional sudo_1.6.8p12-1.diff.gz
 9b80d0af75066921391efd713375e73b 159792 admin optional sudo_1.6.8p12-1_i386.deb
 ed31f882ebec71b2d16095b8476232a3 172136 admin optional sudo-ldap_1.6.8p12-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDszb8ZKfAp/LPAagRAr9UAJ46qBSLpLcMlu7BI2JEj3pKqzNfjACffnZQ
SReCd9WCcWRc7uAHsYK4zEo=
=SzYb
-----END PGP SIGNATURE-----

We have the fixed version from Debian in Dapper.

This has popped up again in Ubuntu 8.04 Hardy Heron alpha 4, please track upstream asap.

Peter, do you also use ldap? "please track upstream asap" -> does this indicate that this is fixed in a later sudo upstream version? In that case we should backport the fix. Anyway, can you please open a new bug for this with some more details? Thank you!

On Mon, 2008-03-17 at 12:13 +0000, Martin Pitt wrote:
> Peter, do you also use ldap?

No.

> "please track upstream asap" -> does this
> indicate that this is fixed in a later sudo upstream version? In that
> case we should backport the fix. Anyway, can you please open a new bug
> for this with some more details? Thank you!

Close it as "cannot reproduce" because I no longer remember how I fixed
the problem. The Hardy sudo works just fine.

Regards
Peter Miller <email address hidden>
/\/\* http://miller.emu.id.au/pmiller/

PGP public key ID: 1024D/D0EDB64D
fingerprint = AD0A C5DF C426 4F03 5D53 2BDB 18D8 A4E2 D0ED B64D
See http://www.keyserver.net or any PGP keyserver for public key.

"Necessity is the mother of strange bedfellows."