Bug 557

Summary: sudo hang in some circumstances
Product: Sudo Reporter: Gabor Lukacs <huncraft>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: normal    
Version: 1.7.9   
Hardware: IBM   
OS: AIX   
Attachments: tar package of the used scripts and binaries:
test script #1
test script #3
test script #2
tar.gz package of the used scripts and binaries

Description Gabor Lukacs 2012-05-24 05:42:17 MDT 
Created attachment 347 [details]
tar package of the used scripts and binaries:

Hi team

Looks that a new regression introduced in sudo 1.7.9.0 due to the following change:
"If none of the standard input, output or error are connected to a tty device, sudo will now check its parent's standard input, output or error for the tty name on systems with /proc and BSD systems that support the KERN_PROC_PID sysctl. This allows tty-based tickets to work properly even when, e.g. standard input, output and error are redirected to /dev/null. "

On AIX systems this change could cause sudo to hang in case the user try to use sudo without tty device. In my tests I was able to reproduce the issue in the following way:

Used scripts:
test_server@user:/tmp $ cat /tmp/test
#!/usr/bin/ksh
date
whoami

test_server@user:/tmp $ cat /tmp/test2
#!/usr/bin/ksh
/usr/local/bin/sudo /tmp/test

POC:
test_server@user:/tmp $ ssh localhost /tmp/test2

Sudoers content:
test_server@user:/tmp $ sudo egrep -v "^#|^$" /etc/sudoers
Defaults !env_reset                             # deny to replace ENV
Defaults !lecture                               # stops the silly message
Defaults root_sudo                              # root is allowed to run sudo too
Defaults logfile=/var/adm/sudo.log              # place for log
Defaults loglinelen=0                           # do not wrap lines
Defaults log_host,log_year                      # additional logging parameters
root ALL=(ALL) ALL
user ALL = NOPASSWD: ALL

After I execute the command (ssh localhost /tmp/test2) the session hangs, and nothing happens. On the process list I can see the 2 forked processes, but neither goes anywhere:

test_server@user:/tmp $ ps -ef |grep test
 user 3735662 4849784   3 09:09:24  pts/1  0:00 ssh localhost /tmp/test2
 user 4260000 5832778   0 09:09:24      -  0:00 /usr/local/bin/sudo /tmp/test
 user 5832778 6094946   0 09:09:24      -  0:00 /usr/bin/ksh /tmp/test2
 user 6422548 3342444   2 09:09:28  pts/0  0:00 grep test
 
In fact - If I terminate the ssh command with Ctrl+C, the session quit, but the processes are remain on the process list (owner would be PID 1)
test_server@user:/tmp $ ps -ef |grep test
 user 2425026 3342444   2 09:16:51  pts/0  0:00 grep test
 user 4260000 5832778   0 09:09:24      -  0:00 /usr/local/bin/sudo /tmp/test
 user 5832778       1   0 09:09:24      -  0:00 /usr/bin/ksh /tmp/test2

Here are my observations:
- Issue happens only in case the user using ksh instead of ksh93. Unfortunately ksh is the default on AIX servers
- Tested on AIX 5.3 (TL12, SP5), 6.1 (TL7, SP3)
- ssh version is irrelevant. 
- The same POC works without issue with sudo version 1.7.8p1

To make sure that the tty change caused the issue, I altered the 1.7.9 used sudo.c and changed back the tty check to the 1.7.8p1 used way. 

devel_box@root:/ # diff /tmp/sudo-src/sudo-1.7.9.gabor/sudo.c /tmp/sudo-src/sudo-1.7.9/sudo.c
628,631c628,630
<
<     if ((p = ttyname(STDIN_FILENO)) || (p = ttyname(STDOUT_FILENO)) ||
<         (p = ttyname(STDERR_FILENO))) {
<         user_tty = user_ttypath = estrdup(p);
---
>
>     if ((p = get_process_ttyname()) != NULL) {
>       user_tty = user_ttypath = p;

Compiled this code with the same gcc flags and it works fine:

test_server@user:/tmp $ cat test.sudo1790.gabor_ksh
#!/usr/bin/ksh
/usr/local/bin/sudo.1.7.9.0.gabor /tmp/test

test_server@user:/tmp $ cat /tmp/test
#!/usr/bin/ksh
date
whoami

test_server@user:/tmp $ /usr/local/bin/sudo.1.7.9.0.gabor -V |head -1
Sudo version 1.7.9

test_server@user:/tmp $ ssh localhost /tmp/test.sudo1790.gabor_ksh
Thu May 24 09:30:34 GMT 2012
root

Attaching the binaries to the ticket

#Note - tried the same issue on different linux systems, but as I see only AIX with ksh is affected.
Comment 1 Gabor Lukacs 2012-05-24 05:50:08 MDT 
Created attachment 348 [details]
test script #1
Comment 2 Gabor Lukacs 2012-05-24 05:50:39 MDT 
Created attachment 349 [details]
test script #3
Comment 3 Gabor Lukacs 2012-05-24 05:51:10 MDT 
Created attachment 350 [details]
test script #2
Comment 4 Gabor Lukacs 2012-05-24 05:56:38 MDT 
Created attachment 351 [details]
tar.gz package of the used scripts and binaries

/usr/local/bin/sudo - compiled version of sudo 1.7.9, based on the http://www.sudo.ws/sudo/dist/sudo-1.7.9.tar.gz archive
/usr/local/bin/sudo.1.7.9.0.gabor - compiled version of sudo 1.7.9 using the 1.7.8p1 used tty check mechanism
/usr/local/bin/sudo1781 - compiled version of sudo version 1.7.8p1 - this works without an issue
/tmp/test - test script #1
/tmp/test2 - test script #2
/tmp/test.sudo1790.gabor_ksh - test script #3
Comment 5 Todd C. Miller 2012-05-24 10:37:27 MDT 
This is fixed in sudo 1.8.5 as well as the upcoming sudo 1.7.10.  There is a beta version of 1.7.10 available now.  Binary packages will take a little while to build but should show up in an hour so so.

http://www.sudo.ws/sudo/dist/beta/sudo-1.7.10b1.tar.gz

*** This bug has been marked as a duplicate of bug 552 ***
Comment 6 Gabor Lukacs 2012-05-25 03:06:52 MDT 
Hi Todd

Thanks for the quick reply. I wasn't aware of the mentioned ticket, sorry about that. Regarding your comment: I downloaded the 1.7.10b1 package, and created a binary from it (took only ~10 mins) - it works fine, so I would like to say a big thank you once again.

Greetings:
Gabor Lukacs