[sudo-users] ldap authentication and local sudoers
Todd C. Miller
Todd.Miller at courtesan.com
Thu Feb 27 09:28:15 MST 2014
If the problem is indeed GNUTLS changing the euid behind sudo's
back the following diff may work around it.
I've built sudo 1.8.10rc2 wheezy packages with this change. You
can find them at ftp://ftp.sudo.ws/pub/millert/sudo/wheezy/
Please try this out if you are able, I'd like sudo 1.8.10 to ship
with this fixed.
- todd
diff -r 59d1f3094dda plugins/sudoers/auth/sudo_auth.c
--- a/plugins/sudoers/auth/sudo_auth.c Wed Feb 26 10:29:52 2014 -0700
+++ b/plugins/sudoers/auth/sudo_auth.c Thu Feb 27 09:21:16 2014 -0700
@@ -191,6 +191,9 @@
sigaction_t sa, osa;
debug_decl(verify_user, SUDO_DEBUG_AUTH)
+ /* LDAP via NSS may modify the euid so we need to be root by default. */
+ set_perms(PERM_ROOT);
+
/* Enable suspend during password entry. */
sigemptyset(&sa.sa_mask);
sa.sa_flags = SA_RESTART;
@@ -259,6 +262,8 @@
}
done:
+ restore_perms();
+
switch (success) {
case AUTH_SUCCESS:
(void) sigaction(SIGTSTP, &osa, NULL);
More information about the sudo-users
mailing list