Bug 843

Summary: Sudo doesn't work for user apache
Product: Sudo Reporter: Attila <bugs.kde.attila>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: high    
Priority: low    
Version: 1.8.23   
Hardware: PC   
OS: Linux   

Description Attila 2018-07-26 01:00:36 MDT 
Description of problem:

The user apache can't do "sudo -u myuser command ..." since version 1.8.23-1 of sudo.

Version-Release number of selected component (if applicable):

sudo-1.8.23-1.fc27.x86_64.rpm, Fedora27

How reproducible:

Steps to Reproduce:
1. Create a cgi-script which is able to execute "sudo -u myuser command ..."
2. Call that cgi-script via http-request

Actual results:

sudo cant't switch to user "myuser"

Expected results:

sudo should switch to user "myuser" and execute the command

Additional info:

There are entries in /var/log/httpd/ssl_error_log like:

[Wed Jul 25 10:43:57.268043 2018] [cgi:error] [pid 3960] [client xxx.xxx.x.xx:43950] AH01215: sudo: Konto oder Passwort ist abgelaufen, bitte Passwort zurücksetzen und nochmal probieren:

[Wed Jul 25 10:43:57.268277 2018] [cgi:error] [pid 3960] [client xxx.xxx.x.xx:43950] AH01215: sudo: Das abgelaufene Passwort kann nicht geändert werden: Fehler beim Ändern des Authentifizierungstoken«:


and entries in /var/log/secure like:

Jul 25 10:43:57 sql02 sudo[4380]: pam_unix(sudo:chauthtok): conversation failed

Jul 25 10:43:57 sql02 sudo[4380]: pam_unix(sudo:chauthtok): password - (old) token not obtained

Jul 25 10:43:57 sql02 sudo[4380]:  apache : unable to change expired password: Fehler beim Ändern des Authentifizierungstoken

All this entries are in german. Sorry for that.

We downgraded to sudo version 1.8.21p2-1 and all is working as expected.
Comment 1 Todd C. Miller 2018-07-26 05:46:08 MDT 
This is probably fallout from the following change in 1.8.23.

 * PAM account management modules and BSD auth approval modules are
   now run even when no password is required.
Comment 2 Todd C. Miller 2018-07-26 06:01:35 MDT 
Can you verify that the maximum password age field for user apache in /etc/shadow is a large number like 99999?  I would expect the shadow entry to be similar to the following:

apache:*:16553:0:99999:7:::

The third field will be different on your system.
Comment 3 Attila 2018-07-26 07:43:09 MDT 
(In reply to Todd C. Miller from comment #2)
> Can you verify that the maximum password age field for user apache
> in /etc/shadow is a large number like 99999?  I would expect the
> shadow entry to be similar to the following:
> 
> apache:*:16553:0:99999:7:::
> 
> The third field will be different on your system.

Yes it is 99999.
The shadow entry is: apache:!!:0:0:99999:7:::

Like I mentioned everything was fine since many years. The only thing that has changed was the version of sudo from 1.8.21p2-1 to 1.8.23-1.
A downgrade to 1.8.21p2-1 doesn't touch the entry for apache in /etc/shadow and it works as expected.
Comment 4 Todd C. Miller 2018-07-26 07:58:06 MDT 
The difference is that sudo 1.8.23 now runs pam account management even when a password was not required.  In your use case this is returning an error for some reason.
Comment 5 Attila 2018-07-26 08:10:56 MDT 
(In reply to Todd C. Miller from comment #4)
> The difference is that sudo 1.8.23 now runs pam account management
> even when a password was not required.  In your use case this is
> returning an error for some reason.

What can I do to avoid this error?
Is there a chance to fix it?
In my opinion it is not unusual to use sudo for a user like apache without a password, isn't it? I think it will affect many users sooner or later.
Does it make any sense to run pam account management when no password is required?
Comment 6 Todd C. Miller 2018-07-26 10:19:10 MDT 
The problem is that the "last changed" field for user apache is 0 and so PAM will require that the password be changed.

If you change that to, e.g.

apache:!!:17738:0:99999:7:::

sudo should work as you expect.

I'm surprised the account was created with a "last changed" field of 0.  When I install apache on Fedora that field gets filled in.

I'll look into changing sudo such that this PAM error gets ignored for sudoers entries that don't require authentication.
Comment 7 Attila 2018-07-27 02:39:52 MDT 
(In reply to Todd C. Miller from comment #6)
> The problem is that the "last changed" field for user apache is 0
> and so PAM will require that the password be changed.
> 
> If you change that to, e.g.
> 
> apache:!!:17738:0:99999:7:::
> 
> sudo should work as you expect.
>

Hi,

I have changed the entry in /etc/shadow to

apache:!!:17738:0:99999:7:::

and updated sudo to version 1.8.23-1. This is it. It works again as I am expecting.



> I'm surprised the account was created with a "last changed" field of
> 0.  When I install apache on Fedora that field gets filled in.
>


I think I can explain that. My Fedora 27 isn't an installation from scratch. I prefer the "dnf system-upgrade ..." procedure to make life easier. The entry was in earlier versions of Fedora different and it seems that "dnf system-upgrade" doesn't update the entry for apache.


> I'll look into changing sudo such that this PAM error gets ignored
> for sudoers entries that don't require authentication.


Thank you very much for your excellent support and cooperation.
Comment 8 Todd C. Miller 2018-07-27 09:32:34 MDT 
I have also committed a change that will appear in sudo 1.8.24 to ignore these errors if sudoers does not require the user to authenticate.
Comment 9 Todd C. Miller 2018-08-18 13:27:49 MDT 
Fixed in sudo 1.8.24, available now.
Comment 10 Todd C. Miller 2018-12-07 09:53:20 MST 
The fix for this bug was incomplete.  If the user account is expired sudo will still fail with a (different) error.

This is addressed by https://www.sudo.ws/repos/sudo/rev/656aa910fbaf which will be included in sudo 1.8.27.