Bug 936

Summary: issing sudoers_audit in sudoers.so
Product: Sudo Reporter: kloczek <kloczko.tomasz>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.9.2   
Hardware: PC   
OS: Other   

Description kloczek 2020-07-26 07:13:15 MDT 
Looks like sudo is not LTO compliant becaus after build sudo with LTO it fails by missig symbol:

$ sudo -Hi
sudo: error in /etc/sudo.conf, line 16 while loading plugin "sudoers_audit"
sudo: unable to find symbol "sudoers_audit" in sudoers.so
sudo: fatal error, unable to load plugins
Comment 1 kloczek 2020-07-26 08:06:00 MDT 
Actually looks like this has nothing to do with LTO and there is no such symbol in plugins/audit_json/audit_json.c and plugins/audit_json/audit_json.exp exports only audit_json.
Comment 2 Todd C. Miller 2020-07-26 13:37:06 MDT 
I think you may be confused by the fact that there are now multiple audit plugins.

The audit_json.so plugin exports the audit_json symbol

The sudoers.so plugin exports the sudoers_audit symbol

There was a bug in sudo 1.9.1 where the sudoers_audit symbol was missing from plugins/sudoers/sudoers.exp but that was fixed in sudo 1.9.2.

I built sudo 1.9.2 on Ubuntu 20.04 with "gcc -flto" and it worked fine for me.
Comment 3 Todd C. Miller 2020-08-10 13:38:08 MDT 
If this is still a problem, can you provide more details about what OS you are running, which compiler and what the compiler options are?  Also, any Plugin lines from your sudo.conf file if you have one.
Comment 4 kloczek 2020-10-04 05:18:30 MDT 
> Actually looks like this has nothing to do with LTO and there is no such symbol in plugins/audit_json/audit_json.c and plugins/audit_json/audit_json.exp exports only audit_json.

OK. So still I cannot figure out why sudo compiled by me fails with reported message.

Do you have any idea with what kind conditions this may happen?

I don't see in my own package anything like sudoers_audit plugin and I don't see something like that in Fedora package as well

$ rpm -qlv sudo | grep so$
-rw-r--r--    1 root     root                    64784 Oct  4 12:11 /usr/lib64/modules/sudo/audit_json.so
-rw-r--r--    1 root     root                    34080 Oct  4 12:11 /usr/lib64/modules/sudo/group_file.so
-rw-r--r--    1 root     root                    28344 Oct  4 12:11 /usr/lib64/modules/sudo/sample_approval.so
-rw-r--r--    1 root     root                  2173992 Oct  4 12:11 /usr/lib64/modules/sudo/sudoers.so
-rw-r--r--    1 root     root                    24216 Oct  4 12:11 /usr/lib64/modules/sudo/system_group.so
-rw-r--r--    1 root     root                    28944 Oct  4 12:11 /usr/libexec/sudo/sudo_noexec.so
Comment 5 kloczek 2020-10-04 05:27:44 MDT 
Even stranger is trat in strace output I don't see that sudo is trying to download any laodable module:

[root@barrel etc]# strace -fe trace=file sudo -Hi
execve("/usr/bin/sudo", ["sudo", "-Hi"], 0x7ffe5f3e1238 /* 26 vars */) = 0
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/modules/sudo/tls/haswell/avx512_1/x86_64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/modules/sudo/tls/haswell/avx512_1/x86_64", 0x7fff957c80f0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/modules/sudo/tls/haswell/avx512_1/libselinux.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/modules/sudo/tls/haswell/avx512_1", 0x7fff957c80f0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/modules/sudo/tls/haswell/x86_64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/modules/sudo/tls/haswell/x86_64", 0x7fff957c80f0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/modules/sudo/tls/haswell/libselinux.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/modules/sudo/tls/haswell", 0x7fff957c80f0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/modules/sudo/tls/avx512_1/x86_64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/modules/sudo/tls/avx512_1/x86_64", 0x7fff957c80f0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/modules/sudo/tls/avx512_1/libselinux.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/modules/sudo/tls/avx512_1", 0x7fff957c80f0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/modules/sudo/tls/x86_64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/modules/sudo/tls/x86_64", 0x7fff957c80f0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/modules/sudo/tls/libselinux.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/modules/sudo/tls", 0x7fff957c80f0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/modules/sudo/haswell/avx512_1/x86_64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/modules/sudo/haswell/avx512_1/x86_64", 0x7fff957c80f0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/modules/sudo/haswell/avx512_1/libselinux.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/modules/sudo/haswell/avx512_1", 0x7fff957c80f0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/modules/sudo/haswell/x86_64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/modules/sudo/haswell/x86_64", 0x7fff957c80f0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/modules/sudo/haswell/libselinux.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/modules/sudo/haswell", 0x7fff957c80f0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/modules/sudo/avx512_1/x86_64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/modules/sudo/avx512_1/x86_64", 0x7fff957c80f0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/modules/sudo/avx512_1/libselinux.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/modules/sudo/avx512_1", 0x7fff957c80f0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/modules/sudo/x86_64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/modules/sudo/x86_64", 0x7fff957c80f0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib64/modules/sudo/libselinux.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
stat("/usr/lib64/modules/sudo", {st_mode=S_IFDIR|0755, st_size=166, ...}) = 0
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libselinux.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/modules/sudo/libutil.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib64/libutil.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/modules/sudo/libsudo_util.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib64/libsudo_util.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/modules/sudo/sudoers.so", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/modules/sudo/libaudit.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib64/libaudit.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/modules/sudo/libpthread.so.0", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/modules/sudo/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libpcre2-8.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libcrypto.so.1.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libpam.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libldap_r-2.4.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/liblber-2.4.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libssl.so.1.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libz.so.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libcap-ng.so.0", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libresolv.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libsasl2.so.3", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/proc/sys/crypto/fips_enabled", O_RDONLY) = 3
access("/etc/system-fips", F_OK)        = -1 ENOENT (No such file or directory)
statfs("/sys/fs/selinux", {f_type=SELINUX_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_RELATIME}) = 0
statfs("/sys/fs/selinux", {f_type=SELINUX_MAGIC, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={val=[0, 0]}, f_namelen=255, f_frsize=4096, f_flags=ST_VALID|ST_RELATIME}) = 0
access("/etc/selinux/config", F_OK)     = 0
openat(AT_FDCWD, "/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/localtime", O_RDONLY|O_CLOEXEC) = 3
stat("/etc/sudo.conf", {st_mode=S_IFREG|0644, st_size=4003, ...}) = 0
openat(AT_FDCWD, "/etc/sudo.conf", O_RDONLY) = 3
stat("/etc/sudo.conf", {st_mode=S_IFREG|0644, st_size=4003, ...}) = 0
openat(AT_FDCWD, "/etc/sudo.conf", O_RDONLY) = 3
openat(AT_FDCWD, "/dev/tty", O_RDWR)    = 3
openat(AT_FDCWD, "/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/lib64/libnss_sss.so.2", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/var/lib/sss/mc/passwd", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 5
openat(AT_FDCWD, "/lib64/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 5
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 5
openat(AT_FDCWD, "/proc/sys/kernel/ngroups_max", O_RDONLY) = 5
getcwd("/etc", 4096)                    = 5
openat(AT_FDCWD, "/proc/self/stat", O_RDONLY|O_NOFOLLOW) = 5
stat("/dev/console", {st_mode=S_IFCHR|0620, st_rdev=makedev(0x5, 0x1), ...}) = 0
stat("/dev/pts/18", {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0x12), ...}) = 0
openat(AT_FDCWD, "/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 5
openat(AT_FDCWD, "/usr/share/locale/en_GB.UTF-8/LC_MESSAGES/sudo.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/en_GB.utf8/LC_MESSAGES/sudo.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/en_GB/LC_MESSAGES/sudo.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/en.UTF-8/LC_MESSAGES/sudo.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/en.utf8/LC_MESSAGES/sudo.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/share/locale/en/LC_MESSAGES/sudo.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
sudo: error in /etc/sudo.conf, line 16 while loading plugin "sudoers_audit"
sudo: unable to find symbol "sudoers_audit" in sudoers.so
sudo: fatal error, unable to load plugins
+++ exited with 1 +++
Comment 6 Todd C. Miller 2020-10-04 06:06:25 MDT 
sudoers.so implements a policy plugin (symbol sudoers_policy), an I/O logging plugin (symbol sudoers_io) and an audit plugin (sudoers_audit).

You haven't included the configure arguments you're using when building sudo which makes it difficult to help you.  There was a bug prior to sudo 1.9.3 where if you built the sudoers plugin statically (via the --enable-static-sudoers configure option), sudoers_audit was not found.

Without more details of how you are building sudo there isn't much I can do.
Comment 7 kloczek 2020-10-04 06:10:14 MDT 
I just tested that using exactly the same build procedure which configures source soce using:

%build
autoreconf -fiv
%configure \
        --disable-root-mailer \
        --disable-rpath \
        --disable-static \
        --enable-static-sudoers \
        --enable-tmpfiles.d=%{_tmpfilesdir} \
        --with-editor=%{_bindir}/vi \
        --with-env-editor \
        --with-ignore-dot \
        --with-ldap \
        --with-linux-audit \
        --with-logfac=authpriv \
        --with-logging=syslog \
        --with-pam \
        --with-pam-login \
        --with-passprompt="[sudo] password for %p: " \
        --with-plugindir=%{_libdir}/modules/sudo \
        --with-selinux \
        --with-sendmail=%{_prefix}/lib/sendmail \
        --with-sssd \
        --with-tty-tickets \
        %{nil}
%make_build

1.9.1 is OK and 1.9.2 binaries fails with reporeted on the beggining messges.
Comment 8 Todd C. Miller 2020-10-04 06:14:28 MDT 
Sudo 1.9.3 should work for you.  Or you could apply the following change as a patch: https://www.sudo.ws/repos/sudo/rev/f0bd4b5cd7b3
Comment 9 kloczek 2020-10-04 06:29:39 MDT 
OK I've just tested 1.9.3p1 and looks like everything is OK now.

Thx :)