Since upgrading to security/sudo-1.8.16 I get segmentation fault whenever I'm trying to use sudo as an unprivileged user. 1.8.15 worked fine. For example: sudo -l works fine when running as root or when using a local sudoers file, but when running as an unprivileged user and with LDAP enabled sudo crashes with a segmentation fault. With debuging of ldap enabled I get this output when it crashes: sudo: LDAP Config Summary sudo: =================== sudo: uri ldap://<hostname> sudo: ldap_version 3 sudo: sudoers_base <sudoers-base> sudo: search_filter (objectClass=sudoRole) sudo: netgroup_base (NONE: will use nsswitch) sudo: netgroup_search_filter (objectClass=nisNetgroup) sudo: binddn <bind-user> sudo: bindpw <bind-pwd> sudo: bind_timelimit 10 sudo: timelimit 5 sudo: ssl start_tls sudo: tls_cacertfile /etc/ssl/ca_cert.crt sudo: =================== sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: tls_cacertfile -> /etc/ssl/ca_cert.crt sudo: ldap_set_option: tls_cacert -> /etc/ssl/ca_cert.crt sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: timelimit -> 5 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 10) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: Looking for cn=defaults: (&(objectClass=sudoRole)(cn=defaults)) sudo: no default options found in <sudoers-base> Segmentation fault Running the same as root gives me: sudo: LDAP Config Summary sudo: =================== sudo: uri ldap://<hostname> sudo: ldap_version 3 sudo: sudoers_base <sudoers-base> sudo: search_filter (objectClass=sudoRole) sudo: netgroup_base (NONE: will use nsswitch) sudo: netgroup_search_filter (objectClass=nisNetgroup) sudo: binddn <bind-user> sudo: bindpw <bind-pwd> sudo: bind_timelimit 10 sudo: timelimit 5 sudo: ssl start_tls sudo: tls_cacertfile /etc/ssl/ca_cert.crt sudo: =================== sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: tls_cacertfile -> /etc/ssl/ca_cert.crt sudo: ldap_set_option: tls_cacert -> /etc/ssl/ca_cert.crt sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: timelimit -> 5 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 10) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: Looking for cn=defaults: (&(objectClass=sudoRole)(cn=defaults)) sudo: no default options found in <sudoers-base> sudo: ldap search '(&(objectClass=sudoRole)(|(sudoUser=root)(sudoUser=%wheel)(sudoUser=%#0)(sudoUser=%operator)(sudoUser=%#5)(sudoUser=ALL)))' sudo: searching from base '<sudoers-base>' sudo: adding search result sudo: result now has 2 entries sudo: ldap search '(&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))' sudo: searching from base '<sudoers-base>' sudo: adding search result sudo: result now has 2 entries sudo: sorting remaining 2 entries sudo: perform search for pwflag 54 sudo: done with LDAP searches sudo: user_matches=true sudo: host_matches=true sudo: sudo_ldap_lookup(54)=0x02 sudo: ldap search for command list sudo: reusing previous result (user root) with 2 entries User root may run the following commands on <localhost>: (ALL) ALL (ALL) ALL sudo: removing reusable search result
It looks like the segmentation fault only happens when the user running sudo is member of a group without a name. For example: one of the accounts I tested with had gidNumber 2000 in LDAP; however there was no group defined with gid 2000 in neither LDAP nor locally. Adding a this group fixed the problem. Nevertheless, I don't think sudo should segfault because of this.
Over to maintainer.
A commit references this bug: Author: garga Date: Sat Jun 11 20:39:39 UTC 2016 New revision: 416751 URL: https://svnweb.freebsd.org/changeset/ports/416751 Log: Add a patch to fix sudo bug #743 that causes a bug where it dereference a NULL pointer when it looks up a negative cached entry which is stored as a NULL passwd or group struct pointer PR: 208198 Submitted by: Fredrik Eriksson <fredrik.eriksson@loopia.se> Obtained from: https://www.sudo.ws/repos/sudo/rev/1d13341d53ec Sponsored by: Rubicon Communications (Netgate) Changes: head/security/sudo/Makefile head/security/sudo/files/patch-fix_bz208198
A commit references this bug: Author: garga Date: Sun Jun 12 13:21:21 UTC 2016 New revision: 416802 URL: https://svnweb.freebsd.org/changeset/ports/416802 Log: MFH: r416751 Add a patch to fix sudo bug #743 that causes a bug where it dereference a NULL pointer when it looks up a negative cached entry which is stored as a NULL passwd or group struct pointer PR: 208198 Submitted by: Fredrik Eriksson <fredrik.eriksson@loopia.se> Obtained from: https://www.sudo.ws/repos/sudo/rev/1d13341d53ec Sponsored by: Rubicon Communications (Netgate) Approved by: ports-secteam (feld) Changes: _U branches/2016Q2/ branches/2016Q2/security/sudo/Makefile branches/2016Q2/security/sudo/files/patch-fix_bz208198