Bug#764817: marked as done (sudo: fails if kernel auditing disabled)

Debian Bug Tracking System Mon, 20 Oct 2014 14:34:42 -0700

Your message dated Mon, 20 Oct 2014 21:29:57 +0000
with message-id <[email protected]>
and subject line Bug#764817: fixed in sudo 1.8.11p1-2
has caused the Debian Bug report #764817,
regarding sudo: fails if kernel auditing disabled
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
764817: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764817
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: sudo
Version: 1.8.11p1-1
Severity: grave

In 1.8.11p1-1, sudo silently exits(1) without creating a new
shell.  Here's output from a simple test case, as root: "sudo id"
tests whether it functions:

# strace -v -s 100 sudo id
...
connect(8, {sa_family=AF_LOCAL, sun_path="/dev/log"}, 110) = 0
sendto(8, "<85>Oct 11 08:44:26 sudo:     root : TTY=pts/1 ; PWD=/mnt/usb ; 
USER=root ; COMMAND=/usr/bin/id", 95, MSG_NOSIGNAL, NULL, 0) = 95
close(8)                                = 0
setresuid(4294967295, 4294967295, 4294967295) = 0
setresgid(4294967295, 4294967295, 4294967295) = 0
close(5)                                = 0
munmap(0x7fa18b97b000, 4096)            = 0
socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT) = -1 EPROTONOSUPPORT (Protocol not 
supported)
setresuid(4294967295, 4294967295, 4294967295) = 0
setresgid(4294967295, 4294967295, 4294967295) = 0
close(3)                                = 0
close(4)                                = 0
exit_group(1)                           = ?
+++ exited with 1 +++

Sudo seems to give up when it finds that linux does not support AUDIT.
Indeed, /proc/cmdline contains "audit=0", as I have disabled that on
purpose.

In 1.8.10p3-1, this works fine.  The similar chunk of strace output
includes:
...
connect(8, {sa_family=AF_LOCAL, sun_path="/dev/log"}, 110) = 0
sendto(8, "<85>Oct 11 08:53:19 sudo:     root : TTY=pts/1 ; PWD=/tmp ; 
USER=root ; COMMAND=/usr/bin/id", 91, MSG_NOSIGNAL, NULL, 0) = 91
close(8)                                = 0
setresuid(4294967295, 4294967295, 4294967295) = 0
setresgid(4294967295, 4294967295, 4294967295) = 0
close(5)                                = 0
munmap(0x7f0e1e326000, 4096)            = 0
socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT) = -1 EPROTONOSUPPORT (Protocol not 
supported)
setresuid(4294967295, 4294967295, 4294967295) = 0
setresgid(4294967295, 4294967295, 4294967295) = 0
close(3)                                = 0
close(4)                                = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
open("/etc/group", O_RDONLY|O_CLOEXEC)  = 4
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 5
lseek(5, 0, SEEK_CUR)                   = 0
...

and continues to clone() and eventually exits(0).

Looks like the conditional is backwards in linux_audit_open():

    /* Kernel may not have audit support. */
    if (errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT) {
        sudo_warn(U_("unable to open audit system"));
        au_fd = AUDIT_NOT_CONFIGURED;
    }

This should be:

    if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT) {
        au_fd = AUDIT_NOT_CONFIGURED;
    }

(P.S.  I hope the new sudo_warn() doesn't go to the terminal.)

Thanks for maintaining sudo!


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages sudo depends on:
ii  libaudit1       1:2.4-1
ii  libc6           2.19-11
ii  libpam-modules  1.1.8-3.1
ii  libpam0g        1.1.8-3.1
ii  libselinux1     2.3-2

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: sudo
Source-Version: 1.8.11p1-2

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <[email protected]> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 20 Oct 2014 11:06:44 -0600
Source: sudo
Binary: sudo sudo-ldap
Architecture: source amd64
Version: 1.8.11p1-2
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <[email protected]>
Changed-By: Bdale Garbee <[email protected]>
Description:
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 762465 764817
Changes:
 sudo (1.8.11p1-2) unstable; urgency=low
 .
   * patch from Jakub Wilk to fix 'ignoring time stamp from the future'
     messages, closes: #762465
   * upstream patch forwarded by Laurent Bigonville that fixes problem with
     Linux kernel auditing code, closes: #764817
Checksums-Sha1:
 c0a7282ac59c62f220fb00b20623fa5b07c31f71 1968 sudo_1.8.11p1-2.dsc
 5b0573d5558b98c882e2af1a205d00541f881c23 23140 sudo_1.8.11p1-2.debian.tar.xz
 2fb2597b57d0ec5b2c6ccc941f13fba55975703a 889602 sudo_1.8.11p1-2_amd64.deb
 9441e380c45f77ae623f1bd3a8e2f61aeeaf043c 916552 sudo-ldap_1.8.11p1-2_amd64.deb
Checksums-Sha256:
 c76c8b7c6e36e039464d70919622962b2a77b06eb2c5027d22e4641a668424a0 1968 
sudo_1.8.11p1-2.dsc
 368f3ef39197c2ac8e0d209286846009ef325279f9bb5e5a85d7987c753fe350 23140 
sudo_1.8.11p1-2.debian.tar.xz
 84679bdcfc26f6244ee01c1694fa4c337137f9294554fdb639a28bc175f0e87a 889602 
sudo_1.8.11p1-2_amd64.deb
 40f7abf2333fc9d3f1c15feba8b048cb67466d874b2fc9ee04684203fc2c42de 916552 
sudo-ldap_1.8.11p1-2_amd64.deb
Files:
 25330a051cf4fbce6c30c089e06bafed 1968 admin optional sudo_1.8.11p1-2.dsc
 40dc0c2f064df3ccf683ffe8ff193c82 23140 admin optional 
sudo_1.8.11p1-2.debian.tar.xz
 ef8862f16c4ba92198faee2551ad0894 889602 admin optional 
sudo_1.8.11p1-2_amd64.deb
 eca499e9b79f67282a4b699570f42158 916552 admin optional 
sudo-ldap_1.8.11p1-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBVEVzqTqTYZbAldlBAQp67w/+KNbNEh6rh95IQAdw4VmPgoMDUKKUlDE1
9n3WjgbaTZw2Tak2k9sCJcDum0ixa/5iMB1xnPCDEY3mMvP24CO5aq+3xklGK9tb
2R/y0VRwhK5ZQfA1Ncu339mT6xCiZ0L8xUFrfHhhWgx3MwjNgXu/niMPZG0d8S6d
8Thva3+YyrKmEICRsgtqHHFYng9zwcnC9vA7qt2baosOMkXl4zjIkUTbeoy67W26
2JAuW8xKfncKalocv0+U5IICjHKWWcG3M37pxwnFo9NKP+q865M+cudZA10c3uZq
OdlLgEMvupYJaMeZrf7VPIONJUxJbscENCmyLUARmVof/J6XvpK4TZeeNNWuCgc/
wlT+SHOkwUzQpzOZvHge/B023DVAtf0EE9KR/eptBeVqvgVqVSXhaXRHtUr0eHvO
R9k01Cs8isqVz2xnHXmoAUr/9wX4yI5yOEGpkmhts+uYWIpvdoyEERCfrxUABGr3
xDL7b1OoON7M85/23JNF5aWiJXk4jSTmulZ8Lxo+rlwZZJLFVkBb7S0pNrNFGYyz
JaMP9c1ycbmhUDqa3/P2Hp5UvOv25/4WLjwnnR2MQoJggCOa7iAIfwi6jlNDcE0f
4lOa39YsNfDTRBOe/VPgEpjOde/vFrzd0L77EMZmp954Zm8iZqMesF6OTo/dJUmm
SYHXH/9ADGo=
=AdST
-----END PGP SIGNATURE-----

--- End Message ---

Bug#764817: marked as done (sudo: fails if kernel auditing disabled)

Reply via email to