LDAP-based sudo roles stopped working in 16.04

Bug #1665322 reported by Paweł Moll on 2017-02-16
28
This bug affects 5 people
Affects Status Importance Assigned to Milestone
sudo (Ubuntu)
Undecided
Unassigned

Bug Description

After upgrading from 14.04 LTS to 16.04 LTS, we noticed that LDAP-based sudo roles stopped working, meaning users that were able to use sudo in the past, are rejected now.

After investigation, it turned out to be a known upstream bug:

https://bugzilla.sudo.ws/show_bug.cgi?id=757

which was introduced somewhere between 14.04 and 16.04 timelines.

To cut the long story short, the code is trying to match FQDN host name (eg. "thehost.domain.com") against host name pattern provided in LDAP (eg. "sudoHost: thehost") using strcmpi, which will - obviously - fail.

The fix is a single line change patch which found its way into sudo version 1.8.18:

https://www.sudo.ws/repos/sudo/rev/605c03afc80f

Unfortunately both 16.04 and 16.10 seem to only use 1.8.16 (17.04 seemed to have jumped to 1.8.19) so will need to carry the patch mentioned above. Tested it locally and the re-built package with the patch added works fine. My debian/patches/series looks like this now:

.../sudo-1.8.16$ cat debian/patches/series
typo-in-classic-insults.diff
paths-in-samples.diff
keep_home_by_default.patch
also_check_sudo_group.diff
lp1565567.patch
sssd-doesnt-handle-netgroups.diff
sssd-fix-matching-loop.diff
ldap-hostname.diff

.../sudo-1.8.16$ cat debian/patches/ldap-hostname.diff
# HG changeset patch
# User Todd C. Miller <email address hidden>
# Date 1473459982 21600
# Node ID 605c03afc80f4c3f55bfae62fcf4974f18cd77e8
# Parent 017866310d2486566cbde9f93486e788d0c046a8
Fix typo that broke short host name matching when the fqdn
flag is enabled. Bug #757

diff -r 017866310d24 -r 605c03afc80f plugins/sudoers/sudoers.c
--- a/plugins/sudoers/sudoers.c Thu Sep 08 16:38:08 2016 -0600
+++ b/plugins/sudoers/sudoers.c Fri Sep 09 16:26:22 2016 -0600
@@ -1069,7 +1069,7 @@
  /* Not remote, just use user_host. */
  if ((lhost = strdup(user_host)) != NULL) {
      if (user_shost != user_host)
- shost = strdup(lhost);
+ shost = strdup(user_shost);
      else
   shost = lhost;
  }

Paweł Moll (pawel-moll) on 2017-02-16
description: updated
Paweł Moll (pawel-moll) on 2017-02-28
description: updated
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sudo (Ubuntu):
status: New → Confirmed
Oscar Carlberg (canhasspace) wrote :

I reported the same problem in #1682104, another way to work around this is to use the sudo version in the release version of 16.04, 1.8.16-0ubuntu1. Would be very nice to get this resolved since we cannot patch the sudo package right now in our systems.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers