[sudo-users] ldap authentication and local sudoers
Tiago Barros
tiago at me.com
Thu Feb 27 10:31:50 MST 2014
Hi Todd,
Thank you very much for your help.
I have tested your new build but I'm getting essentially the same error:
sudo ls /root
[sudo] password for tiago:
sudo: unable to mkdir /var/lib/sudo/lectured: Permission denied
sudo: unable to mkdir /var/run/sudo/ts: Permission denied
sudo: PERM_ROOT: setreuid(0, -1): Operation not permitted
sudo: setuid(0): Operation not permitted
sudo: unable to set supplementary group IDs: Operation not permitted
This is a summary of which packages work and do not work in my hands:
Works:
Debian Wheezy sudo_1.7.10-8_amd64.deb
RHEL 6 sudo.x86_64 1.8.6p3-12.el6
Does not work:
Debian Wheezy sudo_1.8.10rc2-1_amd64.deb
Debian Wheezy sudo_1.8.9-6_amd64.deb
Debian Wheezy sudo 1.8.5p2-1+nmu1 (current Debian Wheezy package)
I have been installing sudo and not sudo-ldap since I'm not configuring sudo via LDAP (i.e. sudo group and /etc/sudoers are local in each machine).
Many thanks once again for your help.
Tiago
On Feb 27, 2014, at 08:28 , Todd C. Miller <Todd.Miller at courtesan.com> wrote:
> If the problem is indeed GNUTLS changing the euid behind sudo's
> back the following diff may work around it.
>
> I've built sudo 1.8.10rc2 wheezy packages with this change. You
> can find them at ftp://ftp.sudo.ws/pub/millert/sudo/wheezy/
>
> Please try this out if you are able, I'd like sudo 1.8.10 to ship
> with this fixed.
>
> - todd
>
> diff -r 59d1f3094dda plugins/sudoers/auth/sudo_auth.c
> --- a/plugins/sudoers/auth/sudo_auth.c Wed Feb 26 10:29:52 2014 -0700
> +++ b/plugins/sudoers/auth/sudo_auth.c Thu Feb 27 09:21:16 2014 -0700
> @@ -191,6 +191,9 @@
> sigaction_t sa, osa;
> debug_decl(verify_user, SUDO_DEBUG_AUTH)
>
> + /* LDAP via NSS may modify the euid so we need to be root by default. */
> + set_perms(PERM_ROOT);
> +
> /* Enable suspend during password entry. */
> sigemptyset(&sa.sa_mask);
> sa.sa_flags = SA_RESTART;
> @@ -259,6 +262,8 @@
> }
>
> done:
> + restore_perms();
> +
> switch (success) {
> case AUTH_SUCCESS:
> (void) sigaction(SIGTSTP, &osa, NULL);
More information about the sudo-users
mailing list