Ubuntu
sudo package

sudo-ldap segfaults in 14.04 if ldap is being used

Bug #1327268 reported by Raubvogel
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sudo (Ubuntu)
New
Undecided
Unassigned

Bug Description

NOTE: I was asked in https://answers.launchpad.net/ubuntu/+source/sudo/+question/249819 to report this as a bug.

raub@testfirewall:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04 LTS
Release: 14.04
Codename: trusty
raub@testfirewall:~$ uname -a
Linux testfirewall 3.13.0-27-generic #50-Ubuntu SMP Thu May 15 18:06:16 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
raub@testfirewall:~$

and have before upgrading to 14.04 been using sudo-ldap so network admins can do some work. However, in 14.04, I am seeing

raub@testfirewall:~$ sudo pwd
sudo: LDAP Config Summary
sudo: ===================
sudo: uri ldap://kdc.domain.com ldap://kdc2.domain.com
sudo: ldap_version 3
sudo: sudoers_base ou=SUDOers,dc=domain,dc=com
sudo: binddn (anonymous)
sudo: bindpw (anonymous)
sudo: bind_timelimit 3
sudo: timelimit 3
sudo: deref 0
sudo: ssl start_tls
sudo: tls_cacertfile /etc/ssl/certs/ca-certificates.crt
sudo: use_sasl yes
sudo: sasl_auth_id (NONE)
sudo: rootuse_sasl -1
sudo: rootsasl_auth_id (NONE)
sudo: sasl_secprops (NONE)
sudo: krb5_ccname FILE:/tmp/host.tkt
sudo: ===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_cacertfile -> /etc/ssl/certs/ca-certificates.crt
sudo: ldap_set_option: tls_cacert -> /etc/ssl/certs/ca-certificates.crt
sudo: ldap_initialize(ld, ldap://kdc.domain.com ldap://kdc2.domain.com)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 3
sudo: ldap_set_option(LDAP_OPT_TIMEOUT, 3)
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 3)
sudo: ldap_start_tls_s() ok
sudo: sudo_ldap_sasl_interact: SASL_CB_USER
Segmentation fault (core dumped)

raub@testfirewall:~$

From syslog:
Jun 5 15:16:26 testfirewall kernel: [2068248.457275] sudo[22925]: segfault at 0 ip 00007f2feb02692a sp 00007ffff55073b8 error 4 in libc-2.19.so[7f2feaf9d000+1bc000]

That affects both local and network users *and* was observed in a new install and an upgrade from 12.04LTS. Now, if I disable ldap for sudoers in /etc/nsswitch.conf,

# sudoers: files ldap
sudoers: files

I can sudo from a local user with sudo rights. What am I missing here?

Revision history for this message
Raubvogel (raubvogel) wrote :

I talked to Todd C. Miller, the author of sudo, who proposed the following patch:

diff -r 6c0cc2def911 plugins/sudoers/ldap.c
--- a/plugins/sudoers/ldap.c Wed Jun 04 11:43:39 2014 -0600
+++ b/plugins/sudoers/ldap.c Mon Jun 16 13:41:02 2014 -0600
@@ -2429,10 +2429,11 @@
        rc = ldap_sasl_interactive_bind_s(ld, ldap_conf.binddn, "GSSAPI",
            NULL, NULL, LDAP_SASL_QUIET, sudo_ldap_sasl_interact, auth_id);
        if (new_ccname != NULL) {
- rc = sudo_set_krb5_ccache_name(old_ccname, NULL);
+ rc = sudo_set_krb5_ccache_name(old_ccname ? old_ccname : "", NULL);
            if (rc == 0) {
                sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
- "restore ccache name %s -> %s", new_ccname, old_ccname);
+ "restore ccache name %s -> %s", new_ccname,az
+ old_ccname ? old_ccname : "(none)");
            } else {
                sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
                    "gss_krb5_ccache_name() failed: %d", rc);

We tested it in my 14.04LTS amd64 (sudo 1.8.9p5) install and that solved the problem. The above patch will be incorporated in the next version of sudo. But, I am posting it here in case someone wants to backport it to the sudo 1.8.9 ubuntu package

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.