[sudo-users] Debugging a sudo segmentation fault

Jeff Makey jeff at sdsc.edu
Tue Nov 3 22:11:27 EST 2009 

If I had paid closer attention while testing I may have seen that my
Red Hat Enterprise Linux 3 systems were failing in a different way
from the RHEL 4 systems.

The remaining problem on RHEL 3 systems (with MIT Kerberos 1.2.7) is
that krb5.h does not declare krb5_get_init_creds_opt_free() at all.
This allows the relevant AC_TRY_COMPILE() in configure.in to succeed
and conclude that krb5_get_init_creds_opt_free() takes two arguments,
when in fact the one defined and used in auth/kerb5.c takes only one.
When it is called with two arguments it frees the wrong one and
produces a segmentation fault.

Having sudo_cv_krb5_get_init_creds_opt_free_two_args=no in the
environment while running configure works around this problem (and it
turns out I was already doing that on RHEL 4).  One way to get
configure to make the right choice is to use AC_CHECK_LIB() to see if
it is in the krb5 library, then test the number of arguments it takes
only if it is found.

With the above configure workaround and Todd's change to
krb5_get_init_creds_opt_alloc() in kerb5.c I now have sudo-1.7.2p1
running with Kerberos 5 authentication on the following platforms:

 Solaris 7, 9, & 10 sparc
 Solaris 10 x86
 Red Hat Enterprise Linux 3 32-bit
 Red Hat Enterprise Linux 4 32-bit & 64-bit
 Red Hat Enterprise Linux 5 32-bit

Thanks for the help.

The patch below fixes a couple of noncritical typos I found during my
investigation.

                          :: Jeff Makey
                             jeff at sdsc.edu

 -----------------------------------------------------------------

--- configure.in.~1~    2009-07-20 06:34:37 -0700
+++ configure.in        2009-11-03 16:17:11 -0800
@@ -2240,7 +2240,7 @@
     _LIBS="$LIBS"
     LIBS="${LIBS} ${SUDO_LIBS}"
     AC_CHECK_FUNCS(krb5_verify_user krb5_init_secure_context krb5_get_init_creds_opt_alloc)
-    AC_CACHE_CHECK(whether krb5_get_init_creds_opt_free takes a two argument2,
+    AC_CACHE_CHECK(whether krb5_get_init_creds_opt_free takes two arguments,
        sudo_cv_krb5_get_init_creds_opt_free_two_args, [
            AC_TRY_COMPILE([#include <krb5.h>],
                [
@@ -2663,7 +2663,7 @@
 AH_TEMPLATE(HAVE_KERB4, [Define to 1 if you use Kerberos IV.])
 AH_TEMPLATE(HAVE_KERB5, [Define to 1 if you use Kerberos V.])
 AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC, [Define to 1 if you have the `krb5_get_init_creds_opt_alloc' function.])
-AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS, [Define to 1 if your `krb5_get_init_creds_opt_alloc' function takes two arguments.])
+AH_TEMPLATE(HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS, [Define to 1 if your `krb5_get_init_creds_opt_free' function takes two arguments.])
 AH_TEMPLATE(HAVE_KRB5_INIT_SECURE_CONTEXT, [Define to 1 if you have the `krb5_init_secure_context' function.])
 AH_TEMPLATE(HAVE_KRB5_VERIFY_USER, [Define to 1 if you have the `krb5_verify_user' function.])
 AH_TEMPLATE(HAVE_LBER_H, [Define to 1 if your LDAP needs <lber.h>. (OpenLDAP does not)])

More information about the sudo-users mailing list