Bug 838

Summary: Cannot start virt-manager as root when sudo-io plugin is used and ssh
Product: Sudo Reporter: Marek Tamaskovic <mtamasko>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED INVALID    
Severity: normal    
Priority: low    
Version: 1.8.23   
Hardware: PC   
OS: Linux   

Description Marek Tamaskovic 2018-06-05 08:17:29 MDT 
Description of problem:

When configuring sudo-io to log output, trying to connect through ssh to spawn virt-manager after sudoing fails silently:

$ ssh -YC local@vm-workstation75 'sudo XAUTHORITY=/home/$(whoami)/.Xauthority -iu root /usr/bin/virt-manager'
$ echo $?
0


Version-Release number of selected component (if applicable):

Up to sudo-1.8.23


How reproducible:

Always


Steps to Reproduce:

1. Create a local user in the wheel group and configure sudo with log_output and wheel sudoing without password

  (kvmserver) # useradd -G wheel local
  (kvmserver) # cat /etc/sudoers
  ...
  Defaults   log_output
  %wheel  ALL=(ALL)       NOPASSWD: ALL

2. Install virt-manager

  (kvmserver) # yum -y install virt-manager

3. SSH to start virt-manager after sudoing

  (client) $ ssh -YC local@kvmserver 'sudo XAUTHORITY=/home/$(whoami)/.Xauthority -iu root /usr/bin/virt-manager'; echo $?
  0


Actual results:

virt-manager is not spawned

Additional info:

- Starting "virt-manager" with "--no-fork" works:
    $ ssh -YC local@vm-workstation75 'sudo XAUTHORITY=/home/$(whoami)/.Xauthority -iu root /usr/bin/virt-manager --no-fork'
- Having an interactive session (before sudoing) works
Comment 1 Todd C. Miller 2018-08-06 11:18:07 MDT 
Confirmed on sudo 1.8.21p2 and 1.8.24b3 on fedora 26.
Comment 2 Todd C. Miller 2018-08-06 11:57:06 MDT 
I believe this is a race condition between when virt-manager forks and when the child process actually starts.  If the child opens the X11 connection before the parent virt-manager exits, ssh will keep the connection open even though the command has completed.  In the log_output case, the timing is different and sudo exits before the forked virt-manager has opened the X11 connection.

Your best bet is to tell virt-manager not to fork to avoid the race.
Comment 3 Todd C. Miller 2018-08-06 13:04:15 MDT 
It is also possible to reproduce the race without sudo by redirecting stdout to /dev/null:

ssh -YC local@kvmserver '/usr/bin/virt-manager >/dev/null'
Comment 4 Todd C. Miller 2018-08-18 15:47:24 MDT 
Since this doesn't occur if you either use the --no-fork option or add append "; sleep 1" to the command I'm closing this bug as invalid.  It is not a sudo issue and that fact that it works without I/O logging is more luck than anything else.