Bug 255

Summary: segfault in HEAD with krb5_ccname and using sudo_setenv method
Product: Sudo Reporter: Tom McLaughlin <tmclaugh>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.7.0   
Hardware: PC   
OS: All   

Description Tom McLaughlin 2007-07-28 19:47:22 MDT 
In HEAD when using sudo_setenv() to set KRB5CCNAME sudo is segfaulting and is reproducible on FreeBSD and Linux.  The bactrace I received simply indicated a crash in strncmp(). The offending code is in env.c's insert_env():

    if (dupcheck) {
	    varlen = (strchr(str, '=') - str) + 1;

	    for (nep = env.envp; *nep; nep++) {
==>		if (strncmp(str, *nep, varlen) == 0) {
		    *nep = str;
		    return;
		}
	    }

After adding a printf() to figure out which environmental variable is causing this I get the following:

[tom@releng-7-fbsd sudo-devel]$ sudo -l                
LDAP Config Summary
===================
uri              ldap://shorthair.straycat.dhs.org
ldap_version     3
sudoers_base     ou=Sudoers,dc=straycat,dc=dhs,dc=org
binddn           (anonymous)
bindpw           (anonymous)
bind_timelimit   -1
timelimit        -1
ssl              start_tls
use_sasl         1
sasl_auth_id     (NONE)
rootuse_sasl     -1
rootsasl_auth_id (NONE)
sasl_secprops    (NONE)
krb5_ccname      /usr/local/etc/.ldapcache
===================
ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE, "/etc/ssl/straycat.crt")
sudo: ldap_initialize(ld,ldap://shorthair.straycat.dhs.org)
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION, 3)
sudo: ldap_start_tls_s() ok
*nep = bfbfecfc (_=/usr/local/bin/sudo)
*nep = bfbfed12 (SSH_CONNECTION=192.168.1.127 59783 192.168.1.73 22)
*nep = bfbfed45 (PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/games:/usr/ports/Tools/scripts)
*nep = bfbfedab (SHELL=/usr/local/bin/ksh)
*nep = bfbfedc4 (EDITOR=vim)
*nep = bfbfedcf (BLOCKSIZE=K)
Segmentation fault (core dumped)

[tom@releng-7-fbsd sudo-devel]$ env
_=/usr/bin/env
SSH_CONNECTION=192.168.1.127 59783 192.168.1.73 22
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/games:/usr/ports/Tools/scripts
SHELL=/usr/local/bin/ksh
EDITOR=vim
BLOCKSIZE=K
JAILED=1
USER=tom
SSH_CLIENT=192.168.1.127 59783 22
JAILMJVER=7
TERM=xterm
PACKAGESITE=http://ftp.straycat.dhs.org/tb/packages/7-i386-FreeBSD/Latest/
FTP_PASSIVE_MODE=YES
__MAKE_CONF=/home/tom/src/etc/make.conf
LOGNAME=tom
KRB5CCNAME=FILE:/tmp/krb5cc_sCQKJt
SSH_TTY=/dev/ttyp0
ENV=/home/tom/.kshrc
CVSEDITOR=vim
JAILNAME=fbsd
MAIL=/var/mail/tom
DISPLAY=bofh:0
HOME=/home/tom
PWD=/home/tom/src/FREEBSD/ports/security/sudo-devel
PAGER=more
CDIFFCOLORS=93:91:96:41:1:1;31


On my Linux box I see a slightly different result though:

*nep = bfccdba5 (HOSTNAME=centos.straycat.dhs.org)
*nep = bfccdbc6 (SHELL=/bin/bash)
*nep = bfccdbd6 (TERM=vt220)
*nep = bfccdbe1 (HISTSIZE=500)
*nep = bfccdbee (SSH_CLIENT=192.168.1.127 55090 22)
*nep = bfccdc10 (SSH_TTY=/dev/pts/1)
Segmentation fault

HOSTNAME=centos.straycat.dhs.org
SHELL=/bin/bash
TERM=vt220
HISTSIZE=500
SSH_CLIENT=192.168.1.127 55090 22
SSH_TTY=/dev/pts/1
USER=tom
LS_COLORS=no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:
CDIFFCOLORS=93:91:96:41:1:1;31
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin:/usr/X11R6/sbin:/usr/kerberos/sbin:/usr/kerberos/bin
MAIL=/var/spool/mail/tom
PWD=/home/tom/src/sudo-1.7
INPUTRC=/etc/inputrc
EDITOR=vim
LANG=en_US.UTF-8
KRB5CCNAME=FILE:/tmp/krb5cc_10001_mReEr19811
HOME=/home/tom
SHLVL=1
LOGNAME=tom
SSH_CONNECTION=192.168.1.127 55090 192.168.1.51 22
LESSOPEN=|/usr/bin/lesspipe.sh %s
CVSEDITOR=vim
G_BROKEN_FILENAMES=1
_=/bin/env
OLDPWD=/home/tom
Comment 1 Todd C. Miller 2007-07-29 16:12:24 MDT 
I fixed the sudo_setenv bug in HEAD, however, I would have expected sudo to use gss_krb5_ccache_name() on FreeBSD. Can you check whether configure finds gss_krb5_ccache_name() in libgssapi?
Comment 2 Tom McLaughlin 2007-07-29 16:29:18 MDT 
FreeBSD's Heimdal in base is pretty crufty and lingering on 0.6.x so gss_krb5_ccache_name() isn't present.  I have to test sudo again after installing the Heimdal port which is 0.7.2.  On the CentOS 5 box with MIT's 1.5 it didn't pick up gss_krb5_ccache_name() though it is there.  Going to look at that too.
Comment 3 Todd C. Miller 2007-07-30 10:47:19 MDT 
I just committed a fix to configure that should allow gss_krb5_ccache_name() to be found on Centos -- it works for me on Fedora 7.
Comment 4 Tom McLaughlin 2007-08-06 13:32:12 MDT 
Hi Todd, the patch works great.  Both the sudo_setenv() and gss_krb5_ccache_name() methods work fine except when sasl_auth_id is set.  (So far I haven't found a tool to decrypt GSSAPI conversations so I can compare nss_ldap's traffic with sudo's to look for any differences.)  

I did find a corner case however and not sure how you want to handle this.  If nss_ldap is built using the --enable-configurable-krb5-ccname-env configurable and sudo finds gss_krb5_ccache_name() some breakage occurred.  I get this via syslog for users other than root:

sudo: GSSAPI Error:  Miscellaneous failure (see text) (open(/tmp/krb5cc_<uid>): No such file or directory).

On FreeBSD we use --enable-configurable-krb5-ccname-env for nss_ldap because --enable-configurable-krb5-ccname-gssapi requires the heimdal or MIT port to be installed and doing so causes random application breakage when apps or libs are compiled against different krb5 versions due to some incompatibilities.  Could the ccname method become a configurable?  Also, I don't know if it's just us or if it's a not to out of the ordinary practice to sometimes have a second newer krb5 implementation installed.  Is it worth adding a --with-gssapi-dir configure switch to force sudo to build against one implementation or another?  I'm not to familiar with commercial *nixes so I'm not sure how people with older OSes deal with the need for a newer krb5 or if that really comes up.
Comment 5 Todd C. Miller 2007-12-20 10:14:38 MST 
I've changed how the LDAP options are being set which might fix the sasl_auth_id case.  If you could test ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7a3.tar.gz and report back that would be great.
Comment 6 Todd C. Miller 2008-01-06 12:04:00 MST 
The LDAP code has undergone further cleanup.  If you could test sudo 1.7b1 from ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.b1.tar.gz and report back that would be great.
Comment 7 Tom McLaughlin 2008-02-10 16:52:26 MST 
Sorry, was a little distracted for a bit but I just tried this with 1.7b2 and the problem is still there when PADL's nss_ldap is built with the --enable-configurable-krb5-ccname-env configure option and sudo finds gss_krb5_ccache_name() to be available.

Feb 10 16:12:57 releng-7-fbsd sudo: GSSAPI Error:  Miscellaneous failure (see text) (open(/tmp/krb5cc_0): No such file or directory)

Do you want a patch which allows people to configure the method used to change the credentials cache so it will match the method used by nss_ldap?
Comment 8 Todd C. Miller 2008-02-10 17:55:38 MST 
Does it work properly if you comment out the
#define HAVE_GSS_KRB5_CCACHE_NAME 1
line in config.h?
Comment 9 Tom McLaughlin 2008-02-10 23:19:39 MST 
It works just fine then.
Comment 10 Todd C. Miller 2008-03-03 09:57:53 MST 
I took a look at how gss_krb5_ccache_name() works and I don't see an obvious problem.  It may be that gss_krb5_ccache_name() doesn't work correctly for some combinations of Heimdal and OpenLDAP.

I've added a --enable-gss-krb5-ccache-name configure option to enable the use of gss_krb5_ccache_name() and just default to using the environment variable.  That should work around the issue for now.