From arif at mail.nih.gov Tue May 5 15:12:03 2009 From: arif at mail.nih.gov (Anthony R Fletcher) Date: Tue, 5 May 2009 15:12:03 -0400 Subject: [sudo-workers] Sudo 1.7.1 unclear messages Message-ID: <20090505191203.GA19173@cosy.cit.nih.gov> I have just tried sudo-1.7.1 and have found that some of the errors need a little more information. We have 2 groups with the same GID in our /etc/group file and one of these groups is used in the /etc/sudoers file. The error message is: sudo: unable to cache gid, already exists Of course the underlying duplication issue will be fixed but it took a while for me to work out which group(s) it was complaining about. Can we add extra info to the user and group cache complaints? Patch attached. Anthony -------------- next part -------------- *** pwutil.c.orig 2009-05-05 12:40:51.000000000 -0400 --- pwutil.c 2009-05-05 15:01:13.000000000 -0400 *************** *** 209,224 **** pw->pw_passwd = cp; if (rbinsert(pwcache_byname, (void *) pw) != NULL) ! errorx(1, "unable to cache user name, already exists"); if (rbinsert(pwcache_byuid, (void *) pw) != NULL) ! errorx(1, "unable to cache uid, already exists"); return(pw); } else { pw = emalloc(sizeof(*pw)); zero_bytes(pw, sizeof(*pw)); pw->pw_uid = uid; if (rbinsert(pwcache_byuid, (void *) pw) != NULL) ! errorx(1, "unable to cache uid, already exists"); return(NULL); } } --- 209,224 ---- pw->pw_passwd = cp; if (rbinsert(pwcache_byname, (void *) pw) != NULL) ! errorx(1, "unable to cache user name for uid %u, already exists"); if (rbinsert(pwcache_byuid, (void *) pw) != NULL) ! errorx(1, "unable to cache uid %d, already exists", uid); return(pw); } else { pw = emalloc(sizeof(*pw)); zero_bytes(pw, sizeof(*pw)); pw->pw_uid = uid; if (rbinsert(pwcache_byuid, (void *) pw) != NULL) ! errorx(1, "unable to cache uid %d, already exists", uid); return(NULL); } } *************** *** 252,260 **** pw->pw_passwd = cp; if (rbinsert(pwcache_byname, (void *) pw) != NULL) ! errorx(1, "unable to cache user name, already exists"); if (rbinsert(pwcache_byuid, (void *) pw) != NULL) ! errorx(1, "unable to cache uid, already exists"); return(pw); } else { len = strlen(name) + 1; --- 252,260 ---- pw->pw_passwd = cp; if (rbinsert(pwcache_byname, (void *) pw) != NULL) ! errorx(1, "unable to cache user name '%s', already exists", name); if (rbinsert(pwcache_byuid, (void *) pw) != NULL) ! errorx(1, "unable to cache uid for '%s', already exists", name); return(pw); } else { len = strlen(name) + 1; *************** *** 266,272 **** pw->pw_name = cp; pw->pw_uid = (uid_t) -1; if (rbinsert(pwcache_byname, (void *) pw) != NULL) ! errorx(1, "unable to cache user name, already exists"); return(NULL); } } --- 266,272 ---- pw->pw_name = cp; pw->pw_uid = (uid_t) -1; if (rbinsert(pwcache_byname, (void *) pw) != NULL) ! errorx(1, "unable to cache user name '%s', already exists", name); return(NULL); } } *************** *** 488,503 **** if ((gr = getgrgid(gid)) != NULL) { gr = sudo_grdup(gr); if (rbinsert(grcache_byname, (void *) gr) != NULL) ! errorx(1, "unable to cache group name, already exists"); if (rbinsert(grcache_bygid, (void *) gr) != NULL) ! errorx(1, "unable to cache gid, already exists"); return(gr); } else { gr = emalloc(sizeof(*gr)); zero_bytes(gr, sizeof(*gr)); gr->gr_gid = gid; if (rbinsert(grcache_bygid, (void *) gr) != NULL) ! errorx(1, "unable to cache gid, already exists"); return(NULL); } } --- 488,503 ---- if ((gr = getgrgid(gid)) != NULL) { gr = sudo_grdup(gr); if (rbinsert(grcache_byname, (void *) gr) != NULL) ! errorx(1, "unable to cache group name for gid %d, already exists", gid); if (rbinsert(grcache_bygid, (void *) gr) != NULL) ! errorx(1, "unable to cache gid %d, already exists", gid); return(gr); } else { gr = emalloc(sizeof(*gr)); zero_bytes(gr, sizeof(*gr)); gr->gr_gid = gid; if (rbinsert(grcache_bygid, (void *) gr) != NULL) ! errorx(1, "unable to cache gid %d, already exists", gid); return(NULL); } } *************** *** 525,533 **** if ((gr = getgrnam(name)) != NULL) { gr = sudo_grdup(gr); if (rbinsert(grcache_byname, (void *) gr) != NULL) ! errorx(1, "unable to cache group name, already exists"); if (rbinsert(grcache_bygid, (void *) gr) != NULL) ! errorx(1, "unable to cache gid, already exists"); return(gr); } else { len = strlen(name) + 1; --- 525,533 ---- if ((gr = getgrnam(name)) != NULL) { gr = sudo_grdup(gr); if (rbinsert(grcache_byname, (void *) gr) != NULL) ! errorx(1, "unable to cache group name '%s', already exists", name); if (rbinsert(grcache_bygid, (void *) gr) != NULL) ! errorx(1, "unable to cache gid for '%s', already exists", name); return(gr); } else { len = strlen(name) + 1; *************** *** 539,545 **** gr->gr_name = cp; gr->gr_gid = (gid_t) -1; if (rbinsert(grcache_byname, (void *) gr) != NULL) ! errorx(1, "unable to cache group name, already exists"); return(NULL); } } --- 539,545 ---- gr->gr_name = cp; gr->gr_gid = (gid_t) -1; if (rbinsert(grcache_byname, (void *) gr) != NULL) ! errorx(1, "unable to cache group name '%s', already exists", name); return(NULL); } } From Todd.Miller at courtesan.com Thu May 7 10:31:36 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 07 May 2009 10:31:36 -0400 Subject: [sudo-workers] Sudo 1.7.1 unclear messages In-Reply-To: Your message of "Tue, 05 May 2009 15:12:03 EDT." <20090505191203.GA19173@cosy.cit.nih.gov> References: <20090505191203.GA19173@cosy.cit.nih.gov> Message-ID: <200905071431.n47EVanM005559@core.courtesan.com> That seems like a good idea, though the restriction that two users or groups can not have the same uid/gid is a little bogus and should probably be relaxed. - todd From arif at mail.nih.gov Thu May 7 11:56:27 2009 From: arif at mail.nih.gov (Anthony R Fletcher) Date: Thu, 7 May 2009 11:56:27 -0400 Subject: [sudo-workers] Sudo 1.7.1 unclear messages In-Reply-To: <200905071431.n47EVanM005559@core.courtesan.com> References: <20090505191203.GA19173@cosy.cit.nih.gov> <200905071431.n47EVanM005559@core.courtesan.com> Message-ID: <20090507155627.GA28920@cosy.cit.nih.gov> Hello Todd I guess it is a little bogus if the group (or user) names are used. Can you use just the GID in the sudoers file? Anyway we did have an issue which this highlighted and we fixed but not before I hacked the code to fix the GID at issue. Anthony On 07 May 2009 at 10:31:36, Todd C. Miller wrote: > That seems like a good idea, though the restriction that two users > or groups can not have the same uid/gid is a little bogus and should > probably be relaxed. > > - todd -- Anthony R Fletcher Room 2033, Building 12A, http://dcb.cit.nih.gov/~arif National Institutes of Health, arif at mail.nih.gov 12A South Drive, Bethesda, Phone: (+1) 301 402 1741. MD 20892-5624, USA. From debjitbis08 at gmail.com Fri May 22 05:13:52 2009 From: debjitbis08 at gmail.com (Debjit Biswas) Date: Fri, 22 May 2009 14:43:52 +0530 Subject: [sudo-workers] porting sudo to minix 3 Message-ID: Hi all, i've trying to port sudo-1.7.0 to MINIX 3. the problem is MINIX does not implement supplementary groups. Although i've been able to compile sudo successfully, running sudo fails with the message internal error, tried to emalloc2(0) This is due to the fact that the getgroups function always returns 0. Is there any way to detect this during configuration ? From Todd.Miller at courtesan.com Fri May 22 06:39:56 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Fri, 22 May 2009 06:39:56 -0400 Subject: [sudo-workers] porting sudo to minix 3 In-Reply-To: Your message of "Fri, 22 May 2009 14:43:52 +0530." References: Message-ID: <200905221039.n4MAduVH004101@core.courtesan.com> In message so spake Debjit Biswas (debjitbis08): > i've trying to port sudo-1.7.0 to MINIX 3. the problem is MINIX does > not implement supplementary groups. > Although i've been able to compile sudo successfully, running sudo > fails with the message > > internal error, tried to emalloc2(0) > > This is due to the fact that the getgroups function always returns 0. > Is there any way to detect this during configuration ? Sudo should probably just deal with getgroups returning 0. The following diff, relative to sudo 1.7.x should do the trick. - todd Index: set_perms.c =================================================================== RCS file: /home/cvs/courtesan/sudo/set_perms.c,v retrieving revision 1.46 diff -u -r1.46 set_perms.c --- set_perms.c 18 May 2009 10:33:33 -0000 1.46 +++ set_perms.c 22 May 2009 10:37:00 -0000 @@ -490,7 +490,9 @@ runas_setgroups() { static int ngroups = -1; +#ifdef HAVE_GETGROUPS static GETGROUPS_T *groups; +#endif struct passwd *pw; if (def_preserve_groups) @@ -503,14 +505,16 @@ pw = runas_pw ? runas_pw : sudo_user.pw; if (initgroups(pw->pw_name, pw->pw_gid) < 0) log_error(USE_ERRNO|MSG_ONLY, "can't set runas group vector"); - if ((ngroups = getgroups(0, NULL)) < 0) - log_error(USE_ERRNO|MSG_ONLY, "can't get runas ngroups"); - groups = emalloc2(ngroups, sizeof(GETGROUPS_T)); - if (getgroups(ngroups, groups) < 0) - log_error(USE_ERRNO|MSG_ONLY, "can't get runas group vector"); +#ifdef HAVE_GETGROUPS + if ((ngroups = getgroups(0, NULL)) > 0) { + groups = emalloc2(ngroups, sizeof(GETGROUPS_T)); + if (getgroups(ngroups, groups) < 0) + log_error(USE_ERRNO|MSG_ONLY, "can't get runas group vector"); + } } else { if (setgroups(ngroups, groups) < 0) log_error(USE_ERRNO|MSG_ONLY, "can't set runas group vector"); +#endif /* HAVE_GETGROUPS */ } } From debjitbis08 at gmail.com Sun May 24 02:33:47 2009 From: debjitbis08 at gmail.com (Debjit Biswas) Date: Sun, 24 May 2009 12:03:47 +0530 Subject: [sudo-workers] porting sudo to minix 3 In-Reply-To: <200905221039.n4MAduVH004101@core.courtesan.com> References: <200905221039.n4MAduVH004101@core.courtesan.com> Message-ID: On Fri, May 22, 2009 at 4:09 PM, Todd C. Miller wrote: > In message > ? ? ? ?so spake Debjit Biswas (debjitbis08): > >> i've trying to port sudo-1.7.0 to MINIX 3. the problem is MINIX does >> not implement supplementary groups. >> Although i've been able to compile sudo successfully, running sudo >> fails with the message >> >> internal error, tried to emalloc2(0) >> >> This is due to the fact that the getgroups function always returns 0. >> Is there any way to detect this during configuration ? > > Sudo should probably just deal with getgroups returning 0. > The following diff, relative to sudo 1.7.x should do the trick. > > ?- todd > > Index: set_perms.c > =================================================================== > RCS file: /home/cvs/courtesan/sudo/set_perms.c,v > retrieving revision 1.46 > diff -u -r1.46 set_perms.c > --- set_perms.c 18 May 2009 10:33:33 -0000 ? ? ?1.46 > +++ set_perms.c 22 May 2009 10:37:00 -0000 > @@ -490,7 +490,9 @@ > ?runas_setgroups() > ?{ > ? ? static int ngroups = -1; > +#ifdef HAVE_GETGROUPS > ? ? static GETGROUPS_T *groups; > +#endif > ? ? struct passwd *pw; > > ? ? if (def_preserve_groups) > @@ -503,14 +505,16 @@ > ? ? ? ?pw = runas_pw ? runas_pw : sudo_user.pw; > ? ? ? ?if (initgroups(pw->pw_name, pw->pw_gid) < 0) > ? ? ? ? ? ?log_error(USE_ERRNO|MSG_ONLY, "can't set runas group vector"); > - ? ? ? if ((ngroups = getgroups(0, NULL)) < 0) > - ? ? ? ? ? log_error(USE_ERRNO|MSG_ONLY, "can't get runas ngroups"); > - ? ? ? groups = emalloc2(ngroups, sizeof(GETGROUPS_T)); > - ? ? ? if (getgroups(ngroups, groups) < 0) > - ? ? ? ? ? log_error(USE_ERRNO|MSG_ONLY, "can't get runas group vector"); > +#ifdef HAVE_GETGROUPS > + ? ? ? if ((ngroups = getgroups(0, NULL)) > 0) { > + ? ? ? ? ? groups = emalloc2(ngroups, sizeof(GETGROUPS_T)); > + ? ? ? ? ? if (getgroups(ngroups, groups) < 0) > + ? ? ? ? ? ? ? log_error(USE_ERRNO|MSG_ONLY, "can't get runas group vector"); > + ? ? ? } > ? ? } else { > ? ? ? ?if (setgroups(ngroups, groups) < 0) > ? ? ? ? ? ?log_error(USE_ERRNO|MSG_ONLY, "can't set runas group vector"); > +#endif /* HAVE_GETGROUPS */ > ? ? } > ?} > > Thanks for the tip, it worked perfectly. To get sudo to compile though the header termios.h had to be added to lbuf.c. Also, since minix does not define IFF_LOOPBACK anywhere had to compile with --without-interfaces. Well thanks again.