|
Bugzilla – Full Text Bug Listing |
| Summary: | Intermittent failures with sudo -u <user> -i on AIX | ||
|---|---|---|---|
| Product: | Sudo | Reporter: | Ben Lentz <ben.lentz> |
| Component: | Sudo | Assignee: | Todd C. Miller <Todd.Miller> |
| Status: | ASSIGNED --- | ||
| Severity: | normal | CC: | kseymour |
| Priority: | low | ||
| Version: | 1.8.5 | ||
| Hardware: | IBM | ||
| OS: | AIX | ||
|
Description
Ben Lentz
2012-10-12 10:20:53 MDT
The log file for these attempts contains nothing useful:
Oct 12 10:19:38 : blentz : TTY=pts/1 ; PWD=/home/blentz ; USER=gisqa ;
COMMAND=/usr/bin/ksh
Oct 12 10:19:42 : blentz : TTY=pts/1 ; PWD=/home/blentz ; USER=gisqa ;
COMMAND=/usr/bin/ksh
Oct 12 10:19:45 : blentz : TTY=pts/1 ; PWD=/home/blentz ; USER=gisqa ;
COMMAND=/usr/bin/ksh
Oct 12 10:19:47 : blentz : TTY=pts/1 ; PWD=/home/blentz ; USER=gisqa ;
COMMAND=/usr/bin/ksh
Oct 12 10:19:47 : blentz : TTY=pts/1 ; PWD=/home/blentz ; USER=gisqa ;
COMMAND=/usr/bin/ksh
Oct 12 10:19:48 : blentz : TTY=pts/1 ; PWD=/home/blentz ; USER=gisqa ;
COMMAND=/usr/bin/ksh
Oct 12 10:19:49 : blentz : TTY=pts/1 ; PWD=/home/blentz ; USER=gisqa ;
COMMAND=/usr/bin/ksh
Oct 12 10:19:50 : blentz : TTY=pts/1 ; PWD=/home/blentz ; USER=gisqa ;
COMMAND=/usr/bin/ksh
Oct 12 10:19:54 : blentz : TTY=pts/1 ; PWD=/home/blentz ; USER=gisqa ;
COMMAND=/usr/bin/ksh
Oct 12 10:19:57 : blentz : TTY=pts/1 ; PWD=/home/blentz ; USER=gisqa ;
COMMAND=/usr/bin/ksh
Do you have log_input, log_output or use_pty enabled in sudoers? Hi, Sorry for the delay. We are seeing this problem again. We have the following settings in our sudoers file: Defaults logfile=/var/log/sudo.log Defaults env_keep += "ODMDIR" If you'd like a copy of the entire file, please let me know. In this example, I had to try three times before it would work (while making no other changes): [blentz@optaixapphyp02dev /home/blentz]$ sudo -u oracle -i [oracle@optaixapphyp02dev /home/oracle]$ You have stopped jobs [blentz@optaixapphyp02dev /home/blentz]$ sudo -u oracle -i [oracle@optaixapphyp02dev /home/oracle]$ You have stopped jobs [blentz@optaixapphyp02dev /home/blentz]$ sudo -u oracle -i [oracle@optaixapphyp02dev /home/oracle]$ This issue still plagues my users to this day. Am I the only one having problems with sudo -i functionality and just having it kick me back out right away? You are the only one who has ever reported the problem and I was unable to reproduce it myself on AIX 5.3. What is the shell of the target user? The shell is /usr/bin/ksh. We seem to have this problem on AIX 5.3 and 6.1. It is highly intermittent. We also get it if the target user has no ulimits. We can work around it with "sudo -u whatever ksh" but then we do not get the destination user's profile sourced. Do you get the same behavior with: $ sudo -u username ksh -i That will also run ksh as a login shell. If the problem persists with "ksh -i" it would be useful to know whether the same thing happens with "su - username". Since the problem only occurs when the user's startup files are sourced, I wonder if there could be something in .profile causing problems. If command line editing is enabled in the .profile, you might try disabling that temporarily and see if it affects the behavior. Another thing to try is to add "set -o ignoreeof" to the user's .profile and see if that makes any difference. Thank you for the suggestions. We will give them a shot. This seems to be totally intermittent, and we've had it happen to multiple users on several different machines. "set -o vi" is common in our .profile files. I mention this since you suggested command line editing might be a problem. We have MANY systems where this works just fine though. Same AIX version, same sudo version. "sudo -u username ksh -i" doesn't seem to actually load the user's .profile file, though. - Desired usage, desired function: [blentz@ykaixdbwms01aqa /home/blentz]$ sudo -u oracle -i [oracle@ykaixdbwms01aqa:/home/oracle] # alias ll ll='ls -al' - ksh -i workaround: [blentz@ykaixdbwms01aqa /home/blentz]$ sudo -u oracle ksh -i [oracle@ykaixdbwms01aqa /home/blentz]$ alias ll ll: alias not found - with root access, using "su - username" : [blentz@ykaixdbwms01aqa /home/blentz]$ sudo su - oracle [oracle@ykaixdbwms01aqa:/home/oracle] # alias ll ll='ls -al' The -i flag for AIX ksh only states "Indicates that the shell is interactive." but doesn't *actually* source the login profile like a login user shell would. So we have an "interactive" flag but we don't have a "login shell" flag on AIX. I hope that helps. We'll try the "set -o ignoreeof" suggestion and removing "set -o vi" from .profile the next time someone complains about this. I got it to trigger on one of my systems. I added "set -o ignoreeof" before the "set -o vi" and I was still able to get it to trigger: [blentz@optaixappsi01aqa /home/blentz]$ sudo -u si -i [YOU HAVE NEW MAIL] [si@optaixappsi01aqa]/si/$ You have stopped jobs <------ [blentz@optaixappsi01aqa /home/blentz]$ sudo grep "set -o" /home/si/.profile set -o ignoreeof set -o vi [blentz@optaixappsi01aqa /home/blentz]$ I then commented out "set -o vi" completely. I got in 16 times but it bombed out with "You have stopped jobs" on the 17th time: [blentz@optaixappsi01aqa /home/blentz]$ sudo grep "set -o" /home/si/.profile #set -o vi [blentz@optaixappsi01aqa /home/blentz]$ sudo -u si -i [YOU HAVE NEW MAIL] [si@optaixappsi01aqa]/si/$ ^D [blentz@optaixappsi01aqa /home/blentz]$ sudo -u si -i [YOU HAVE NEW MAIL] [si@optaixappsi01aqa]/si/$ ^D [blentz@optaixappsi01aqa /home/blentz]$ sudo -u si -i [YOU HAVE NEW MAIL] [si@optaixappsi01aqa]/si/$ ^D [blentz@optaixappsi01aqa /home/blentz]$ sudo -u si -i [YOU HAVE NEW MAIL] [si@optaixappsi01aqa]/si/$ ^D [blentz@optaixappsi01aqa /home/blentz]$ sudo -u si -i [YOU HAVE NEW MAIL] [si@optaixappsi01aqa]/si/$ ^D [blentz@optaixappsi01aqa /home/blentz]$ sudo -u si -i [YOU HAVE NEW MAIL] [si@optaixappsi01aqa]/si/$ ^D [blentz@optaixappsi01aqa /home/blentz]$ sudo -u si -i [YOU HAVE NEW MAIL] [si@optaixappsi01aqa]/si/$ ^D [blentz@optaixappsi01aqa /home/blentz]$ sudo -u si -i [YOU HAVE NEW MAIL] [si@optaixappsi01aqa]/si/$ ^D [blentz@optaixappsi01aqa /home/blentz]$ sudo -u si -i [YOU HAVE NEW MAIL] [si@optaixappsi01aqa]/si/$ ^D [blentz@optaixappsi01aqa /home/blentz]$ sudo -u si -i [YOU HAVE NEW MAIL] [si@optaixappsi01aqa]/si/$ ^D [blentz@optaixappsi01aqa /home/blentz]$ sudo -u si -i [YOU HAVE NEW MAIL] [si@optaixappsi01aqa]/si/$ ^D [blentz@optaixappsi01aqa /home/blentz]$ sudo -u si -i [YOU HAVE NEW MAIL] [si@optaixappsi01aqa]/si/$ ^D [blentz@optaixappsi01aqa /home/blentz]$ sudo -u si -i [YOU HAVE NEW MAIL] [si@optaixappsi01aqa]/si/$ ^D [blentz@optaixappsi01aqa /home/blentz]$ sudo -u si -i [YOU HAVE NEW MAIL] [si@optaixappsi01aqa]/si/$ ^D [blentz@optaixappsi01aqa /home/blentz]$ sudo -u si -i [YOU HAVE NEW MAIL] [si@optaixappsi01aqa]/si/$ ^D [blentz@optaixappsi01aqa /home/blentz]$ sudo -u si -i [YOU HAVE NEW MAIL] [si@optaixappsi01aqa]/si/$ ^D [blentz@optaixappsi01aqa /home/blentz]$ sudo -u si -i [YOU HAVE NEW MAIL] [si@optaixappsi01aqa]/si/$ You have stopped jobs [blentz@optaixappsi01aqa /home/blentz]$ Sorry, I was confusing the -i (interactive) flag with the -l (login) flag which AIX ksh does not support. I don't suppose the .profile has "set -e" in it anywhere? Do you know if your sudo is build with PAM support or is it using AIX authentication? We don't have "set -e" in .profile anywhere. We don't use AIX PAM support (it's nothing like Linux PAM support) so I think we're just using regular old AIX authenticate(). The particular rules we're using to trigger this problem as using NOPASSWD: ALL. Here are the compile-time options: $ sudo sudo -V | head -5 Sudo version 1.8.5p2 Configure options: --prefix=/opt/local/sudo --enable-shared=yes --enable-static=no --with-logfac=auth Sudoers policy plugin version 1.8.5p2 Sudoers file grammar version 41 It's weird; we are getting the ksh prompt which, to me, means that all the profile files have been sourced (http://www-01.ibm.com/support/docview.wss?uid=isg3T1000361) but instead of waiting for the user to type a command, we just get "You have stopped jobs" and it exits out and we're returned to the original shell. |