208198 – security/sudo: Segmentation Fault when using sudoers in LDAP

Bug 208198 - security/sudo: Segmentation Fault when using sudoers in LDAP

Summary: security/sudo: Segmentation Fault when using sudoers in LDAP

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	amd64 Any

Importance:	--- Affects Only Me
Assignee:	Renato Botelho

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-03-22 08:50 UTC by Fredrik Eriksson
Modified:	2016-06-12 13:21 UTC (History)
CC List:	1 user (show)

See Also:

Flags:	rakuco: maintainer-feedback? (garga)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Fredrik Eriksson 2016-03-22 08:50:54 UTC

Since upgrading to security/sudo-1.8.16 I get segmentation fault whenever I'm trying to use sudo as an unprivileged user. 1.8.15 worked fine.

For example: sudo -l works fine when running as root or when using a local sudoers file, but when running as an unprivileged user and with LDAP enabled sudo crashes with a segmentation fault.

With debuging of ldap enabled I get this output when it crashes:

sudo: LDAP Config Summary
sudo: ===================
sudo: uri              ldap://<hostname>
sudo: ldap_version     3
sudo: sudoers_base     <sudoers-base>
sudo: search_filter    (objectClass=sudoRole)
sudo: netgroup_base (NONE: will use nsswitch)
sudo: netgroup_search_filter (objectClass=nisNetgroup)
sudo: binddn           <bind-user>
sudo: bindpw           <bind-pwd>
sudo: bind_timelimit   10
sudo: timelimit        5
sudo: ssl              start_tls
sudo: tls_cacertfile   /etc/ssl/ca_cert.crt
sudo: ===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_cacertfile -> /etc/ssl/ca_cert.crt
sudo: ldap_set_option: tls_cacert -> /etc/ssl/ca_cert.crt
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 5
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 10)
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: Looking for cn=defaults: (&(objectClass=sudoRole)(cn=defaults))
sudo: no default options found in <sudoers-base>
Segmentation fault


Running the same as root gives me:

sudo: LDAP Config Summary
sudo: ===================
sudo: uri              ldap://<hostname>
sudo: ldap_version     3
sudo: sudoers_base     <sudoers-base>
sudo: search_filter    (objectClass=sudoRole)
sudo: netgroup_base (NONE: will use nsswitch)
sudo: netgroup_search_filter (objectClass=nisNetgroup)
sudo: binddn           <bind-user>
sudo: bindpw           <bind-pwd>
sudo: bind_timelimit   10
sudo: timelimit        5
sudo: ssl              start_tls
sudo: tls_cacertfile   /etc/ssl/ca_cert.crt
sudo: ===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_cacertfile -> /etc/ssl/ca_cert.crt
sudo: ldap_set_option: tls_cacert -> /etc/ssl/ca_cert.crt
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 5
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 10)
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: Looking for cn=defaults: (&(objectClass=sudoRole)(cn=defaults))
sudo: no default options found in <sudoers-base>
sudo: ldap search '(&(objectClass=sudoRole)(|(sudoUser=root)(sudoUser=%wheel)(sudoUser=%#0)(sudoUser=%operator)(sudoUser=%#5)(sudoUser=ALL)))'
sudo: searching from base '<sudoers-base>'
sudo: adding search result
sudo: result now has 2 entries
sudo: ldap search '(&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))'
sudo: searching from base '<sudoers-base>'
sudo: adding search result
sudo: result now has 2 entries
sudo: sorting remaining 2 entries
sudo: perform search for pwflag 54
sudo: done with LDAP searches
sudo: user_matches=true
sudo: host_matches=true
sudo: sudo_ldap_lookup(54)=0x02
sudo: ldap search for command list
sudo: reusing previous result (user root) with 2 entries
User root may run the following commands on <localhost>:
    (ALL) ALL
    (ALL) ALL
sudo: removing reusable search result

Comment 1 Fredrik Eriksson 2016-03-22 12:57:17 UTC

It looks like the segmentation fault only happens when the user running sudo is member of a group without a name. For example: one of the accounts I tested with had gidNumber 2000 in LDAP; however there was no group defined with gid 2000 in neither LDAP nor locally. Adding a this group fixed the problem.

Nevertheless, I don't think sudo should segfault because of this.

Comment 2 Raphael Kubo da Costa freebsd_committer

2016-03-22 16:26:34 UTC

Over to maintainer.

Comment 3 commit-hook freebsd_committer

2016-06-11 20:40:31 UTC

A commit references this bug:

Author: garga
Date: Sat Jun 11 20:39:39 UTC 2016
New revision: 416751
URL: https://svnweb.freebsd.org/changeset/ports/416751

Log:
  Add a patch to fix sudo bug #743 that causes a bug where it dereference
  a NULL pointer when it looks up a negative cached entry which is stored
  as a NULL passwd or group struct pointer

  PR:		208198
  Submitted by:	Fredrik Eriksson <fredrik.eriksson@loopia.se>
  Obtained from:	https://www.sudo.ws/repos/sudo/rev/1d13341d53ec
  Sponsored by:	Rubicon Communications (Netgate)

Changes:
  head/security/sudo/Makefile
  head/security/sudo/files/patch-fix_bz208198

Comment 4 commit-hook freebsd_committer

2016-06-12 13:21:50 UTC

A commit references this bug:

Author: garga
Date: Sun Jun 12 13:21:21 UTC 2016
New revision: 416802
URL: https://svnweb.freebsd.org/changeset/ports/416802

Log:
  MFH: r416751

  Add a patch to fix sudo bug #743 that causes a bug where it dereference
  a NULL pointer when it looks up a negative cached entry which is stored
  as a NULL passwd or group struct pointer

  PR:		208198
  Submitted by:	Fredrik Eriksson <fredrik.eriksson@loopia.se>
  Obtained from:	https://www.sudo.ws/repos/sudo/rev/1d13341d53ec
  Sponsored by:	Rubicon Communications (Netgate)
  Approved by:	ports-secteam (feld)

Changes:
_U  branches/2016Q2/
  branches/2016Q2/security/sudo/Makefile
  branches/2016Q2/security/sudo/files/patch-fix_bz208198