Comment 0 for bug 1665322

After upgrading from 14.04 LTS to 16.04 LTS, we noticed that LDAP-based sudo roles stopped working, meaning users that were able to use sudo in the past, are rejected now.

After investigation, it turned out to be a known upstream bug:

https://bugzilla.sudo.ws/show_bug.cgi?id=757

which was introduced somewhere between 14.04 and 16.04 timelines.

To cut the long story short, the code is trying to match FQDN host name (eg. "thehost.domain.com") against host name pattern provided in LDAP (eg. "sudoHost: thehost") using strcmpi, which will - obviously - fail.

The fix is a single line change patch which found its way into sudo version 1.8.18:

https://www.sudo.ws/repos/sudo/rev/605c03afc80f

Unfortunately both 16.04 and 16.10 seem to only use 1.8.16 (17.04 seemed to have jumped to 1.8.19) so will need to carry the patch mentioned above. Tested it locally and the re-built package with the patch added works file. My debian/patches/series looks like this now:

.../sudo-1.8.16$ cat debian/patches/series
typo-in-classic-insults.diff
paths-in-samples.diff
keep_home_by_default.patch
also_check_sudo_group.diff
ldap-hostname.diff

.../sudo-1.8.16$ cat debian/patches/ldap-hostname.diff
# HG changeset patch
# User Todd C. Miller <email address hidden>
# Date 1473459982 21600
# Node ID 605c03afc80f4c3f55bfae62fcf4974f18cd77e8
# Parent 017866310d2486566cbde9f93486e788d0c046a8
Fix typo that broke short host name matching when the fqdn
flag is enabled. Bug #757

diff -r 017866310d24 -r 605c03afc80f plugins/sudoers/sudoers.c
--- a/plugins/sudoers/sudoers.c Thu Sep 08 16:38:08 2016 -0600
+++ b/plugins/sudoers/sudoers.c Fri Sep 09 16:26:22 2016 -0600
@@ -1069,7 +1069,7 @@
  /* Not remote, just use user_host. */
  if ((lhost = strdup(user_host)) != NULL) {
      if (user_shost != user_host)
- shost = strdup(lhost);
+ shost = strdup(user_shost);
      else
   shost = lhost;
  }