sudo fails with host netgroup returned from freeipa

Bug #1607666 reported by Florian Apolloner on 2016-07-29
84
This bug affects 13 people
Affects Status Importance Assigned to Milestone
sudo (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned

Bug Description

[Impact]
Sudo currently fails to validate netgroups against host netgroups returned from the sss plugin, see https://fedorahosted.org/freeipa/ticket/6139 for the glory details.

This was fixed in sudo 1.8.17 (https://www.sudo.ws/repos/sudo/rev/2eab4070dcf7 to be exact), which I'd very much like to see backported to Ubuntu 16.04. If possible, updating sudo completely to 1.8.17 would be nice, since there have been quite a few improvements with regards to sss and freeipa and it would be a shame if we could not benefit from them given that 16.04 is LTS.

[Test case]
install the update, test that sudo works on a freeipa installation that uses netgroups

[Regression potential]
<tjaalton> I looked at upstream commits to sssd.c, and there were no commits that touch this area, so chance of regressions should be slim

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sudo (Ubuntu Xenial):
status: New → Confirmed
Changed in sudo (Ubuntu):
status: New → Confirmed
Timo Aaltonen (tjaalton) wrote :
Florian Apolloner (apollo13) wrote :

Can confirm that this seems to work for us.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sudo - 1.8.19p1-1ubuntu1

---------------
sudo (1.8.19p1-1ubuntu1) zesty; urgency=low

  * Merge from Debian unstable. (LP: #1607666)
    Remaining changes:
    - Use tmpfs location to store timestamp files
      + debian/rules: change --with-rundir to /var/run/sudo
      + debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop
        shipping init script and service file, as they are no longer
        necessary.
      + debian/*.preinst, debian/*.postinst, debian/*.postrm: remove old
        init script with dpkg-maintscript-helper.
      + debian/*.postinst: remove old /var/run/sudo to /var/lib/sudo
        transition code, remove old /var/lib/sudo/ts timestamp directory.
    - debian/rules:
      + compile with --without-lecture --with-tty-tickets --enable-admin-flag
      + install man/man8/sudo_root.8 in both flavours
      + install apport hooks
    - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs:
      + add usr/share/apport/package-hooks
    - debian/sudo.pam:
      + Use pam_env to read /etc/environment and /etc/default/locale
        environment files. Reading ~/.pam_environment is not permitted due to
        security reasons.
    - debian/sudoers:
      + also grant admin group sudo access
      + include /snap/bin in the secure_path
    - debian/control, debian/rules:
      + use dh-autoreconf
    - Remaining patches:
      + keep_home_by_default.patch: Keep HOME in the default environment
    - Dropped patches no longer needed:
      + debian/patches/lp1565567.patch: upstream.
      + debian/patches/also_check_sudo_group.diff: upstream.

 -- Timo Aaltonen <email address hidden> Sat, 14 Jan 2017 01:41:17 +0200

Changed in sudo (Ubuntu):
status: Confirmed → Fix Released

Thanks for uploading the fix for this bug report to -proposed. However, when reviewing the package in -proposed and the details of this bug report I noticed that the bug description is missing information required for the SRU process. You can find full details at http://wiki.ubuntu.com/StableReleaseUpdates#Procedure but essentially this bug is missing some of the following: a statement of impact, a test case and details regarding the regression potential. Thanks in advance!

Timo Aaltonen (tjaalton) on 2017-01-19
description: updated

Hello Florian, or anyone else affected,

Accepted sudo into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sudo/1.8.16-0ubuntu1.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sudo (Ubuntu Xenial):
status: Confirmed → Fix Committed
tags: added: verification-needed
Florian Apolloner (apollo13) wrote :

Can confirm that it works, just pulled it on our machines.

tags: added: verification-done
removed: verification-needed
Brian Murray (brian-murray) wrote :

Hello Florian, or anyone else affected,

Accepted sudo into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sudo/1.8.16-0ubuntu3.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in sudo (Ubuntu Yakkety):
status: New → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
Florian Apolloner (apollo13) wrote :

Sorry, cannot confirm on yakkety since we do not deploy there yet.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sudo - 1.8.16-0ubuntu1.3

---------------
sudo (1.8.16-0ubuntu1.3) xenial; urgency=medium

  * sssd-doesnt-handle-netgroups.diff, sssd-fix-matching-loop.diff:
    Only check username as part of the netgroup when netgroup_tuple is enabled.
    (LP: #1607666)

 -- Timo Aaltonen <email address hidden> Sat, 14 Jan 2017 01:54:21 +0200

Changed in sudo (Ubuntu Xenial):
status: Fix Committed → Fix Released

As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of sudo from yakkety-proposed was performed and bug 1665062 was found. Please investigate this bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and add the tag "bot-stop-nagging" to bug 1665062 (not this bug). Thanks!

tags: added: verification-failed
Seth Arnold (seth-arnold) wrote :

bug 1665062 has guitarpro6 in the logs as well as significant hardware errors (perhaps just failing CD-ROM drive, perhaps hard drive, they were slightly unusual). That's not a happy computer but it looks unrelated to this SRU.

Thanks

tags: removed: verification-failed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers