Fwd: dlopen error when using sudo with pam_ldap

Steven Romero sromero1 at emc.sema.slb.com
Wed Jul 9 16:15:13 EDT 2003 

Me again.

Well I haven't heard from anyone so I guess this isn't a common problem, 
but I found something in the sudo manpage that may have something to do 
with this problem:

SECURITY NOTES
      sudo tries to be safe when executing external commands.
      Variables that control how dynamic loading and binding is
      done can be used to subvert the program that sudo runs.  To
      combat this the LD_*, _RLD_*, SHLIB_PATH (HP-UX only), and
      LIBPATH (AIX only) environment variables are removed from
      the environment passed on to all commands executed.  sudo
      will also remove the IFS, ENV, BASH_ENV, KRB_CONF,
      KRBCONFDIR, KRBTKFILE, KRB5_CONFIG, LOCALDOMAIN,
      RES_OPTIONS, HOSTALIASES, NLSPATH, PATH_LOCALE, TERMINFO,
      TERMINFO_DIRS and TERMPATH variables as they too can pose a
      threat.  If the TERMCAP variable is set and is a pathname,
      it too is ignored.  Additionally, if the LC_* or LANGUAGE
      variables contain the / or % characters, they are ignored.
      If sudo has been compiled with SecurID support, the VAR_ACE,
      USR_ACE and DLC_ACE variables are cleared as well.  The list
      of environment variables that sudo clears is contained in
      the output of sudo -V when run as root.

      To prevent command spoofing, sudo checks "." and "" (both
      denoting current directory) last when searching for a
      command in the user's PATH (if one or both are in the PATH).
      Note, however, that the actual PATH environment variable is
      not modified and is passed unchanged to the program that
      sudo executes.

So to avoid this is suggested that sudo be statically linked to shared 
libraries:

      For security reasons, if your OS supports shared libraries
      and does not disable user-defined library search paths for
      setuid programs (most do), you should either use a linker
      option that disables this behavior or link sudo statically.

Would the developers of sudo please comment on this behavior built into 
sudo, and determine whether or not it would have anything to do with the 
behavior I am experiencing below with regards to authentication via the 
pam_ldap module?

Thank you.

Regards,
Steve Romero

>Date: Tue, 08 Jul 2003 13:03:35 -0500
>From: Steven Romero <sromero1 at emc.sema.slb.com>
>Subject: dlopen error when using sudo with pam_ldap
>Sender: sudo-users-bounces at sudo.ws
>To: sudo-users at sudo.ws
>Message-id: <5.1.1.1.2.20030708130302.02cdbac0 at pop.emc.sema.slb.com>
>List-Post: <mailto:sudo-users at sudo.ws>
>List-Subscribe: <http://www.sudo.ws/mailman/listinfo/sudo-users>,
>         <mailto:sudo-users-request at sudo.ws?subject=subscribe>
>List-Unsubscribe: <http://www.sudo.ws/mailman/listinfo/sudo-users>,
>         <mailto:sudo-users-request at sudo.ws?subject=unsubscribe>
>List-Archive: </pipermail/sudo-users>
>List-Help: <mailto:sudo-users-request at sudo.ws?subject=help>
>List-Id: General sudo questions and discussion <sudo-users.sudo.ws>
>Original-recipient: rfc822;sromero1 at emc.sema.slb.com
>
>Hello,
>
>I'm getting a dynamic loading error when I try to use sudo with 
>pam_ldap.  My specs are:
>
>+ solaris 8
>+ sudo-1.6.6
>+ pam_ldap-164
>+ openldap-2.1.17
>
>The sudo portion of my pam.conf file reads:
>
># Support for sudo
>sudo    auth    sufficient      /usr/lib/security/pam_ldap.so.1 debug
>
>I've gotten other applications to work fine (OpenSSH for example), and 
>have verified that it is using pam_ldap, but sudo just doesn't want to 
>work.  I always get the following error when I try to authenticate to sudo 
>using pam_ldap:
>
>bash-2.03$ sudo -s
>sudo: pam_authenticate: Dlopen failure
>
>bash-2.03$ sudo vi /etc/pam.conf
>sudo: pam_authenticate: Dlopen failure
>
>Looking in /var/adm/messages I see:
>
>Jul  8 22:57:58 munchie sudo[11823]: [ID 487707 user.error] load_modules: 
>can not open module /usr/lib/security/pam_ldap.so.1
>Jul  8 22:57:58 munchie sudo: [ID 702911 local2.alert]  sromero : 
>pam_authenticate: Dlopen failure ; TTY=pts/3 ; 
>PWD=/export/home/sromero/sudo-1.6.6 ; USER=root ; COMMAND=/bin/bash
>Jul  8 22:58:21 munchie sudo[11825]: [ID 487707 user.error] load_modules: 
>can not open module /usr/lib/security/pam_ldap.so.1
>Jul  8 22:58:21 munchie sudo: [ID 702911 local2.alert]  sromero : 
>pam_authenticate: Dlopen failure ; TTY=pts/3 ; 
>PWD=/export/home/sromero/sudo-1.6.6 ; USER=root ; COMMAND=/usr/bin/vi 
>/etc/pam.conf
>
>Does anyone have any ideas why this isn't working?  I was very careful to 
>compile everything with shared libraries, and as I said I did confirm that 
>pam_ldap is working with other applications.
>
>Thanks for your help.
>
>Regards,
>Steven Romero
>
>____________________________________________________________ sudo-users 
>mailing list <sudo-users at sudo.ws>
>For list information, options, or to unsubscribe, visit:
>http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list