Bug 908

Summary: SUDO_ASKPASS is broken
Product: Sudo Reporter: Steven <steven>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal CC: steven
Priority: normal    
Version: 1.8.29   
Hardware: All   
OS: Linux   
Attachments: Patch to restore limits

Description Steven 2019-11-11 11:20:31 MST 
Since 1.8.29, SUDO_ASKPASS stopped working. `SUDO_ASKPASS=/path/to/askpass sudo -A true` now fails with "sudo: no password was provided".
Comment 1 Todd C. Miller 2019-11-11 11:40:34 MST 
It works for me here.  What was the previous version of sudo where SUDO_ASKPASS worked for you?
Comment 2 Todd C. Miller 2019-11-11 11:54:54 MST 
It would also be helpful to know what Linux distro you are running and whether you are using the vendor-supplied sudo package, one from www.sudo.ws or whether you built sudo from source.
Comment 3 Steven 2019-11-11 13:45:45 MST 
OS: Arch Linux
Last working version: 1.8.28.p1
Kernel: linux-hardened (any version)

I've:

* recompiled
* tested it in an Arch docker image (inside docker)

However, I've now tried testing it inside an Arch docker image using docker-machine (i.e., inside a _different_ VM) and it works.

Running sudo with strace, I think I've found the issue:

clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLDstrace: Process 101131 attached
, child_tidptr=0x6164972ffa10) = 101131
[pid 101121] close(5)                   = 0
[pid 101121] read(4,  <unfinished ...>
[pid 101131] set_robust_list(0x6164972ffa20, 24) = 0
[pid 101131] getpid()                   = 101131
[pid 101131] dup2(5, 1)                 = 1
[pid 101131] setuid(0)                  = 0
[pid 101131] setgid(1000)               = 0
[pid 101131] setuid(1000)               = 0
[pid 101131] openat(AT_FDCWD, "/proc/self/fd", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 6
[pid 101131] fstat(6, {st_mode=S_IFDIR|0500, st_size=0, ...}) = 0
[pid 101131] brk(0xdb46d7bc000)         = 0xdb46d7bc000
[pid 101131] getdents64(6, /* 9 entries */, 32768) = 216
[pid 101131] close(3)                   = 0
[pid 101131] close(4)                   = 0
[pid 101131] close(5)                   = 0
[pid 101131] getdents64(6, /* 0 entries */, 32768) = 0
[pid 101131] close(6)                   = 0
[pid 101131] execve("/usr/bin/sudo-askpass", ["/usr/bin/sudo-askpass", "\33[00;38;05;9m[steb -> root] >>>\33"...], 0x74d05fa80b50 /* 27 vars */) = -1 ENOMEM (Cannot allocate memory)
[pid 101131] --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=NULL} ---
[pid 101131] +++ killed by SIGSEGV +++
<... read resumed>"", 1)                = 0
--- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=101131, si_uid=1000, si_status=SIGSEGV, si_utime=0, si_stime=0} ---
Comment 4 Steven 2019-11-11 14:46:24 MST 
Created attachment 535 [details]
Patch to restore limits
Comment 5 Steven 2019-11-11 14:48:34 MST 
Turns out we need to restore the limits before execing the askpass program. This was causing a crash on my system because, for some reason, my system can't exec when the maximum stack size is set to unlimited.
Comment 6 Todd C. Miller 2019-11-11 16:06:18 MST 
Thanks, I was about to ask to you try a similar diff that I had.
Comment 7 Todd C. Miller 2019-12-31 15:07:24 MST 
Fixed in sudo 1.8.30