[sudo-users] ldap authentication and local sudoers

Tiago Barros tiago at me.com
Thu Feb 27 10:31:50 MST 2014


Hi Todd,

Thank you very much for your help.

I have tested your new build but I'm getting essentially the same error:

sudo ls /root
[sudo] password for tiago: 
sudo: unable to mkdir /var/lib/sudo/lectured: Permission denied
sudo: unable to mkdir /var/run/sudo/ts: Permission denied
sudo: PERM_ROOT: setreuid(0, -1): Operation not permitted
sudo: setuid(0): Operation not permitted
sudo: unable to set supplementary group IDs: Operation not permitted

This is a summary of which packages work and do not work in my hands:

Works:
Debian Wheezy sudo_1.7.10-8_amd64.deb
RHEL 6 sudo.x86_64  1.8.6p3-12.el6

Does not work:
Debian Wheezy sudo_1.8.10rc2-1_amd64.deb
Debian Wheezy sudo_1.8.9-6_amd64.deb
Debian Wheezy sudo 1.8.5p2-1+nmu1 (current Debian Wheezy package)

I have been installing sudo and not sudo-ldap since I'm not configuring sudo via LDAP (i.e. sudo group and /etc/sudoers are local in each machine).

Many thanks once again for your help.

Tiago



On Feb 27, 2014, at 08:28 , Todd C. Miller <Todd.Miller at courtesan.com> wrote:

> If the problem is indeed GNUTLS changing the euid behind sudo's
> back the following diff may work around it.
> 
> I've built sudo 1.8.10rc2 wheezy packages with this change.  You
> can find them at ftp://ftp.sudo.ws/pub/millert/sudo/wheezy/
> 
> Please try this out if you are able, I'd like sudo 1.8.10 to ship
> with this fixed.
> 
> - todd
> 
> diff -r 59d1f3094dda plugins/sudoers/auth/sudo_auth.c
> --- a/plugins/sudoers/auth/sudo_auth.c	Wed Feb 26 10:29:52 2014 -0700
> +++ b/plugins/sudoers/auth/sudo_auth.c	Thu Feb 27 09:21:16 2014 -0700
> @@ -191,6 +191,9 @@
>     sigaction_t sa, osa;
>     debug_decl(verify_user, SUDO_DEBUG_AUTH)
> 
> +    /* LDAP via NSS may modify the euid so we need to be root by default. */
> +    set_perms(PERM_ROOT);
> +
>     /* Enable suspend during password entry. */
>     sigemptyset(&sa.sa_mask);
>     sa.sa_flags = SA_RESTART;
> @@ -259,6 +262,8 @@
>     }
> 
> done:
> +    restore_perms();
> +
>     switch (success) {
> 	case AUTH_SUCCESS:
> 	    (void) sigaction(SIGTSTP, &osa, NULL);




More information about the sudo-users mailing list