Bug 960

Summary: Upon upgrading TCMsudo on solaris 10 to version 1.9.5p2,fails
Product: Sudo Reporter: BastJ
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: high CC: mehmetgelisin
Priority: low    
Version: 1.9.5   
Hardware: Sun   
OS: Solaris 2.x   
Attachments: full /etc/sudoers fiile

Description BastJ 2021-02-05 12:26:00 MST 
After upgrading, a user types sudo su -,  errors saying user not found.
It's like as if this version is not looking at the /etc/sudoers file.

root # sudo su -
Feb  5 13:24:40 uxtst204 sudo: [ID 183074 auth.alert]     root : user NOT in sudoers ; HOST=uxtst204 ; TTY=pts/1 ; PWD=/var/tmp ; USER=root ; COMMAND=/usr/bin/su -
root is not in the sudoers file.  This incident will be reported.

I upgraded from 1.8.22.   If I pkgrm, then pkgadd the old version it works fine.
Comment 1 Todd C. Miller 2021-02-05 14:15:09 MST 
Unfortunately, I no longer have a Solaris 10 SPARC system to test on so the SPARC packages are cross-compiled.  It is possible that there is a configure-related issue when cross-compiling (the Solaris 10 Intel package does work).

I can use the gcc compile farm infrastructure to build Solaris 10/SPARC packages, which is what I do for Solaris 11.  Can you try one of the following packages and see if it works for you?

https://www.sudo.ws/dist/packages/1.9.5p2/TCMsudo-1.9.5p2-sol10.sparc.pkg.gz

https://www.sudo.ws/dist/packages/1.9.5p2/TCMsudo-ldap-1.9.5p2-sol10.sparc.pkg.gz
Comment 2 BastJ 2021-02-05 14:22:25 MST 
Not has same issue.

Interesting though, I downloaded the CSWsudo from Opencsw and that works fine.  it's version 1.9.4
Comment 3 Todd C. Miller 2021-02-05 14:28:51 MST 
Strange.  Just to verify, here are the md5 checksums for the updated versions:

TCMsudo-1.9.5p2-sol10.sparc.pkg.gz       f9159d5bb8ae6cba03a50155db3dd068
TCMsudo-ldap-1.9.5p2-sol10.sparc.pkg.gz  0908bcb5d4bc82d73aafdb9c90dec322
Comment 4 Todd C. Miller 2021-02-05 14:34:07 MST 
If you were using the Opencsw version of sudo it probably has a different path to the sudoers file.  The TCMsudo packages from sudo.ws use /etc/sudoers, not /opt/csw/etc/sudoers.  Maybe that is the problem?
Comment 5 BastJ 2021-02-05 15:16:00 MST 
I was always using your TCMsudo with /etc/sudoers

Checksums match my downloaded files
Comment 6 BastJ 2021-02-05 15:23:34 MST 
How is the path to /etc/sudoers configured?  it seems that this version is not using the /etc/sudoeres file, thus indicating my userid is not in the sudoers file, but in fact it is...

uxtst204:/opt/toolbox/admin/c01393
root # su - c01393
-bash-3.2$ /usr/local/bin/sudo su -

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Enter the password for c01393 :
c01393 is not in the sudoers file.  This incident will be reported.
Feb  5 16:21:36 uxtst204 sudo: [ID 183074 auth.alert]   c01393 : user NOT in sudoers ; HOST=uxtst204 ; TTY=pts/1 ; PWD=/home/c01393 ; USER=root ; COMMAND=/usr/bin/su -
-bash-3.2$
Comment 7 BastJ 2021-02-05 15:25:02 MST 
Checking the /etc/sudoers file, my id is in there

root # grep c01393 /etc/sudoers
User_Alias GROUP_SUDO_IT_HPS_UNIX_TEAM=d31695,k68297,v98856,j06440,c84521,c01393,v00513,v14703,c05177,v02851
Comment 8 Todd C. Miller 2021-02-05 15:35:39 MST 
If you run "sudo -V | grep "Sudoers path" it should show:

Sudoers path: /etc/sudoers
Comment 9 BastJ 2021-02-06 10:25:47 MST 
uxtst204:/
root # pkginfo TCMsudo
application TCMsudo sudo 1.9.5p2

uxtst204:/
root # sudo -V | grep "Sudoers path"
Sudoers path: /etc/sudoers

uxtst204:/
root # sudo su -
root is not in the sudoers file.  This incident will be reported.

uxtst204:/
root # su - c01393

-bash-3.2$ /usr/local/bin/sudo su -
Enter the password for c01393 :
c01393 is not in the sudoers file.  This incident will be reported.
Feb  6 11:20:45 uxtst204 last message repeated 1 time
Feb  6 11:22:00 uxtst204 sudo: [ID 183074 auth.alert]   c01393 : user NOT in sudoers ; HOST=uxtst204 ; TTY=pts/1 ; PWD=/home/c01393 ; USER=root ; COMMAND=/usr/bin/su -
Comment 10 BastJ 2021-02-06 10:46:16 MST 
In the sudo -V output, there are some differences in the following, but not sure if that is the issue?

uxtst203:/
root # sudo -V
Sudo version 1.8.22
Configure options: --with-insults=disabled --with-logging=syslog --with-logfac=auth --with-editor=/usr/bin/vim:/usr/bin/vi:/bin/vi --with-env-editor --build=i386-pc-solaris2.11 --host=sparc-sun-solaris2.10 --with-project --disable-tmpfiles.d
Sudoers policy plugin version 1.8.22
Sudoers file grammar version 46

Sudoers path: /etc/sudoers


uxtst204:/
root # sudo -V
Sudo version 1.9.5p2
Configure options: --with-insults=disabled --with-logging=syslog --with-logfac=auth --with-editor=/usr/bin/vim:/usr/bin/vi:/bin/vi --with-env-editor --enable-warnings --disable-hardening --enable-package-build --with-project --disable-tmpfiles.d
Sudoers policy plugin version 1.9.5p2
Sudoers file grammar version 48

Sudoers path: /etc/sudoers
Comment 11 Todd C. Miller 2021-02-08 13:02:40 MST 
I don't see any configure options that would explain the difference in behavior.  I could try building sudo with the Solaris compiler instead of gcc but that shouldn't really make a difference.

You can enable the debug log in /etc/sudo.conf which may give some insight into what is going wrong.

The following in /etc/sudo.conf will log a lot of details:

Debug sudoers.so /var/log/sudoers_debug all@debug

Whereas the following will only log things related to matching in sudoers (which is probably all you need)

Debug sudoers.so /var/log/sudoers_debug match@debug

In addition to logging the function calls there will be info on user and command matches in the log file.  E.g.

user millert matches sudoers user millert: true @ userpw_matches()
...
user command "/usr/bin/id" matches sudoers command "/bin/ksh", chroot /var/www: false @ command_matches()
Comment 12 BastJ 2021-02-08 13:22:59 MST 
Here's what the log is showing.

uxtst204:/var/log
root # cat sudoers_debug
Feb  8 14:20:24 sudo[14141] -> runas_getgroups @ ./match.c:132
Feb  8 14:20:24 sudo[14141] <- runas_getgroups @ ./match.c:141 := 6c748
Feb  8 14:20:24 sudo[14141] -> runas_getgroups @ ./match.c:132
Feb  8 14:20:24 sudo[14141] <- runas_getgroups @ ./match.c:141 := 6c748
Feb  8 14:20:24 sudo[14141] -> userlist_matches @ ./match.c:119
Feb  8 14:20:24 sudo[14141] -> user_matches @ ./match.c:75
Feb  8 14:20:24 sudo[14141] -> userlist_matches @ ./match.c:119
Feb  8 14:20:24 sudo[14141] -> user_matches @ ./match.c:75
Feb  8 14:20:24 sudo[14141] -> userpw_matches @ ./match.c:454
Feb  8 14:20:24 sudo[14141] user root matches sudoers user dummy: false @ userpw_matches() ./match.c:470
Feb  8 14:20:24 sudo[14141] <- userpw_matches @ ./match.c:471 := false
Feb  8 14:20:24 sudo[14141] <- user_matches @ ./match.c:106 := -1
Feb  8 14:20:24 sudo[14141] <- userlist_matches @ ./match.c:125 := -1
Feb  8 14:20:24 sudo[14141] <- user_matches @ ./match.c:106 := -1
Feb  8 14:20:24 sudo[14141] <- userlist_matches @ ./match.c:125 := -1
Feb  8 14:20:58 sudo[14355] -> runas_getgroups @ ./match.c:132
Feb  8 14:20:58 sudo[14355] <- runas_getgroups @ ./match.c:141 := 6c6b8
Feb  8 14:20:58 sudo[14355] -> runas_getgroups @ ./match.c:132
Feb  8 14:20:58 sudo[14355] <- runas_getgroups @ ./match.c:141 := 6c6b8
Feb  8 14:20:58 sudo[14355] -> userlist_matches @ ./match.c:119
Feb  8 14:20:58 sudo[14355] -> user_matches @ ./match.c:75
Feb  8 14:20:58 sudo[14355] -> userlist_matches @ ./match.c:119
Feb  8 14:20:58 sudo[14355] -> user_matches @ ./match.c:75
Feb  8 14:20:58 sudo[14355] -> userpw_matches @ ./match.c:454
Feb  8 14:20:58 sudo[14355] user c01393 matches sudoers user dummy: false @ userpw_matches() ./match.c:470
Feb  8 14:20:58 sudo[14355] <- userpw_matches @ ./match.c:471 := false
Feb  8 14:20:58 sudo[14355] <- user_matches @ ./match.c:106 := -1
Feb  8 14:20:58 sudo[14355] <- userlist_matches @ ./match.c:125 := -1
Feb  8 14:20:58 sudo[14355] <- user_matches @ ./match.c:106 := -1
Feb  8 14:20:58 sudo[14355] <- userlist_matches @ ./match.c:125 := -1
Comment 13 BastJ 2021-02-17 07:37:08 MST 
Any updates on why this is occurring based on my output I sent?
Comment 14 Todd C. Miller 2021-02-17 14:30:37 MST 
That debug output makes it look like the only entry in /etc/sudoers is a rule for user "dummy".  When I create a sudoers file like the following:

User_Alias GROUP_SUDO_IT_HPS_UNIX_TEAM=d31695,k68297,v98856,j06440,c84521,c01393,v00513,v14703,c05177,v02851

GROUP_SUDO_IT_HPS_UNIX_TEAM ALL = ALL

I see debug output like:

Feb 17 16:23:34 sudo[776] -> runas_getgroups @ ./match.c:132
Feb 17 16:23:34 sudo[776] <- runas_getgroups @ ./match.c:141 := 0x80966d8
Feb 17 16:23:34 sudo[776] -> userlist_matches @ ./match.c:119
Feb 17 16:23:34 sudo[776] -> user_matches @ ./match.c:75
Feb 17 16:23:34 sudo[776] -> userlist_matches @ ./match.c:119
Feb 17 16:23:34 sudo[776] -> user_matches @ ./match.c:75
Feb 17 16:23:34 sudo[776] -> userpw_matches @ ./match.c:454
Feb 17 16:23:34 sudo[776] user c01393 matches sudoers user v02851: false @ userpw_matches() ./match.c:470
Feb 17 16:23:34 sudo[776] <- userpw_matches @ ./match.c:471 := false
Feb 17 16:23:34 sudo[776] <- user_matches @ ./match.c:106 := -1
Feb 17 16:23:34 sudo[776] -> user_matches @ ./match.c:75
Feb 17 16:23:34 sudo[776] -> userpw_matches @ ./match.c:454
Feb 17 16:23:34 sudo[776] user c01393 matches sudoers user c05177: false @ userpw_matches() ./match.c:470
Feb 17 16:23:34 sudo[776] <- userpw_matches @ ./match.c:471 := false
Feb 17 16:23:34 sudo[776] <- user_matches @ ./match.c:106 := -1
Feb 17 16:23:34 sudo[776] -> user_matches @ ./match.c:75
Feb 17 16:23:34 sudo[776] -> userpw_matches @ ./match.c:454
Feb 17 16:23:34 sudo[776] user c01393 matches sudoers user v14703: false @ userpw_matches() ./match.c:470
Feb 17 16:23:34 sudo[776] <- userpw_matches @ ./match.c:471 := false
Feb 17 16:23:34 sudo[776] <- user_matches @ ./match.c:106 := -1
Feb 17 16:23:34 sudo[776] -> user_matches @ ./match.c:75
Feb 17 16:23:34 sudo[776] -> userpw_matches @ ./match.c:454
Feb 17 16:23:34 sudo[776] user c01393 matches sudoers user v00513: false @ userpw_matches() ./match.c:470
Feb 17 16:23:34 sudo[776] <- userpw_matches @ ./match.c:471 := false
Feb 17 16:23:34 sudo[776] <- user_matches @ ./match.c:106 := -1
Feb 17 16:23:34 sudo[776] -> user_matches @ ./match.c:75
Feb 17 16:23:34 sudo[776] -> userpw_matches @ ./match.c:454
Feb 17 16:23:34 sudo[776] user c01393 matches sudoers user c01393: true @ userpw_matches() ./match.c:470
Feb 17 16:23:34 sudo[776] <- userpw_matches @ ./match.c:471 := true
Feb 17 16:23:34 sudo[776] <- user_matches @ ./match.c:106 := 1
Feb 17 16:23:34 sudo[776] <- userlist_matches @ ./match.c:125 := 1
Feb 17 16:23:34 sudo[776] <- user_matches @ ./match.c:106 := 1
Feb 17 16:23:34 sudo[776] <- userlist_matches @ ./match.c:125 := 1
Feb 17 16:23:34 sudo[776] -> hostlist_matches_int @ ./match.c:294
Feb 17 16:23:34 sudo[776] -> host_matches @ ./match.c:328
Feb 17 16:23:34 sudo[776] <- host_matches @ ./match.c:360 := 1
Feb 17 16:23:34 sudo[776] <- hostlist_matches_int @ ./match.c:301 := 1
Feb 17 16:23:34 sudo[776] -> runaslist_matches @ ./match.c:161
Feb 17 16:23:34 sudo[776] -> userpw_matches @ ./match.c:454
Feb 17 16:23:34 sudo[776] user root matches sudoers user root: true @ userpw_matches() ./match.c:470
Feb 17 16:23:34 sudo[776] <- userpw_matches @ ./match.c:471 := true
Feb 17 16:23:34 sudo[776] <- runaslist_matches @ ./match.c:167 := 1
Feb 17 16:23:34 sudo[776] -> cmnd_matches @ ./match.c:395
Feb 17 16:23:34 sudo[776] <- cmnd_matches @ ./match.c:419 := 1

You can see each user in the alias being compared in the debug log above.  I would expect to see something similar from your system.
Comment 15 BastJ 2021-02-17 15:02:06 MST 
I do have a valid /etc/sudoers file that is working fin on the older version of sudo.  My /etc/sudoers file has 2,645 lines in it
Comment 16 BastJ 2021-02-17 15:08:23 MST 
Ok, so I created a new /etc/sudoers and put just what you had in it..  And it seems to get the results you expect.    Could it be something in the /etc/sudoers file thats causing the issue?
Comment 17 BastJ 2021-02-17 15:10:29 MST 
Feb 17 16:05:52 sudo[5359] -> runas_getgroups @ ./match.c:132
Feb 17 16:05:52 sudo[5359] <- runas_getgroups @ ./match.c:141 := 4d9f0
Feb 17 16:05:52 sudo[5359] -> runas_getgroups @ ./match.c:132
Feb 17 16:05:52 sudo[5359] <- runas_getgroups @ ./match.c:141 := 4d9f0
Feb 17 16:05:52 sudo[5359] -> userlist_matches @ ./match.c:119
Feb 17 16:05:52 sudo[5359] -> user_matches @ ./match.c:75
Feb 17 16:05:52 sudo[5359] -> userlist_matches @ ./match.c:119
Feb 17 16:05:52 sudo[5359] -> user_matches @ ./match.c:75
Feb 17 16:05:52 sudo[5359] -> userpw_matches @ ./match.c:454
Feb 17 16:05:52 sudo[5359] user root matches sudoers user v02851: false @ userpw_match
es() ./match.c:470
Feb 17 16:05:52 sudo[5359] <- userpw_matches @ ./match.c:471 := false
Feb 17 16:05:52 sudo[5359] <- user_matches @ ./match.c:106 := -1
Feb 17 16:05:52 sudo[5359] -> user_matches @ ./match.c:75
Feb 17 16:05:52 sudo[5359] -> userpw_matches @ ./match.c:454
Feb 17 16:05:52 sudo[5359] user root matches sudoers user c05177: false @ userpw_match
es() ./match.c:470
Feb 17 16:05:52 sudo[5359] <- userpw_matches @ ./match.c:471 := false
Feb 17 16:05:52 sudo[5359] <- user_matches @ ./match.c:106 := -1
Feb 17 16:05:52 sudo[5359] -> user_matches @ ./match.c:75
Feb 17 16:05:52 sudo[5359] -> userpw_matches @ ./match.c:454
Feb 17 16:05:52 sudo[5359] user root matches sudoers user v14703: false @ userpw_match
es() ./match.c:470
Feb 17 16:05:52 sudo[5359] <- userpw_matches @ ./match.c:471 := false
Feb 17 16:05:52 sudo[5359] <- user_matches @ ./match.c:106 := -1
Feb 17 16:05:52 sudo[5359] -> user_matches @ ./match.c:75
Feb 17 16:05:52 sudo[5359] -> userpw_matches @ ./match.c:454
Feb 17 16:05:52 sudo[5359] user root matches sudoers user v00513: false @ userpw_match
es() ./match.c:470
Feb 17 16:05:52 sudo[5359] <- userpw_matches @ ./match.c:471 := false
Feb 17 16:05:52 sudo[5359] <- user_matches @ ./match.c:106 := -1
Feb 17 16:05:52 sudo[5359] -> user_matches @ ./match.c:75
Feb 17 16:05:52 sudo[5359] -> userpw_matches @ ./match.c:454
Feb 17 16:05:52 sudo[5359] user root matches sudoers user c01393: false @ userpw_match
es() ./match.c:470
Feb 17 16:05:52 sudo[5359] <- userpw_matches @ ./match.c:471 := false
Feb 17 16:05:52 sudo[5359] <- user_matches @ ./match.c:106 := -1
Feb 17 16:05:52 sudo[5359] -> user_matches @ ./match.c:75
Feb 17 16:05:52 sudo[5359] -> userpw_matches @ ./match.c:454
Feb 17 16:05:52 sudo[5359] user root matches sudoers user c84521: false @ userpw_match
es() ./match.c:470
Feb 17 16:05:52 sudo[5359] <- userpw_matches @ ./match.c:471 := false
Feb 17 16:05:52 sudo[5359] <- user_matches @ ./match.c:106 := -1
Feb 17 16:05:52 sudo[5359] -> user_matches @ ./match.c:75
Feb 17 16:05:52 sudo[5359] -> userpw_matches @ ./match.c:454
Feb 17 16:05:52 sudo[5359] user root matches sudoers user j06440: false @ userpw_match
es() ./match.c:470
Feb 17 16:05:52 sudo[5359] <- userpw_matches @ ./match.c:471 := false
Feb 17 16:05:52 sudo[5359] <- user_matches @ ./match.c:106 := -1
Feb 17 16:05:52 sudo[5359] -> user_matches @ ./match.c:75
Feb 17 16:05:52 sudo[5359] -> userpw_matches @ ./match.c:454
Feb 17 16:05:52 sudo[5359] user root matches sudoers user v98856: false @ userpw_match
es() ./match.c:470
Feb 17 16:05:52 sudo[5359] <- userpw_matches @ ./match.c:471 := false
Feb 17 16:05:52 sudo[5359] <- user_matches @ ./match.c:106 := -1
Feb 17 16:05:52 sudo[5359] -> user_matches @ ./match.c:75
Feb 17 16:05:52 sudo[5359] -> userpw_matches @ ./match.c:454
Feb 17 16:05:52 sudo[5359] user root matches sudoers user k68297: false @ userpw_match
es() ./match.c:470
Feb 17 16:05:52 sudo[5359] <- userpw_matches @ ./match.c:471 := false
Feb 17 16:05:52 sudo[5359] <- user_matches @ ./match.c:106 := -1
Feb 17 16:05:52 sudo[5359] -> user_matches @ ./match.c:75
Feb 17 16:05:52 sudo[5359] -> userpw_matches @ ./match.c:454
Feb 17 16:05:52 sudo[5359] user root matches sudoers user d31695: false @ userpw_match
es() ./match.c:470
Feb 17 16:05:52 sudo[5359] <- userpw_matches @ ./match.c:471 := false
Feb 17 16:05:52 sudo[5359] <- user_matches @ ./match.c:106 := -1
Feb 17 16:05:52 sudo[5359] <- userlist_matches @ ./match.c:125 := -1
Feb 17 16:05:52 sudo[5359] <- user_matches @ ./match.c:106 := -1
Feb 17 16:05:52 sudo[5359] <- userlist_matches @ ./match.c:125 := -1
Comment 18 BastJ 2021-02-17 15:19:31 MST 
Logged in as c01393, I get the match in the debug.

Feb 17 16:13:14 sudo[5743] <- userpw_matches @ ./match.c:471 := false
Feb 17 16:13:14 sudo[5743] <- user_matches @ ./match.c:106 := -1
Feb 17 16:13:14 sudo[5743] -> user_matches @ ./match.c:75
Feb 17 16:13:14 sudo[5743] -> userpw_matches @ ./match.c:454
Feb 17 16:13:14 sudo[5743] user c01393 matches sudoers user c01393: true @ userpw_matc
hes() ./match.c:470

So now with my full /etc/sudoers in place it's back to dummy again...

Feb 17 16:17:02 sudo[5860] user c01393 matches sudoers user dummy: false @ userpw_matc
hes() ./match.c:470

Could you look at my full /etc/sudoers to see if theres an invalid entry causing an issue with this specific new version of sudo?
Comment 19 BastJ 2021-02-17 15:21:25 MST 
Created attachment 551 [details]
full /etc/sudoers fiile

Please review the file to determine why it is resulting in dummy false matches
Comment 20 Todd C. Miller 2021-02-17 15:33:49 MST 
I can reproduce the problem with your full sudoers file, thanks.  I should be able to debug the problem now.
Comment 21 Todd C. Miller 2021-02-17 17:23:18 MST 
There was a bug in the emulation of the getdelim() function on older systems that lack it.  The bug only showed up when reading files with lines larger than around 2047 bytes.

This is fixed by https://www.sudo.ws/repos/sudo/rev/d6dd6893b38a

It only affected the Solaris 10 and HP-UX packages--all the others have a native getdelim() function.

I've rebuilt the affected 1.9.5p2 packages with the fix, e.g.

https://www.sudo.ws/dist/packages/1.9.5p2/TCMsudo-1.9.5p2-sol10.sparc.pkg.gz

MD5 checksum b37df223e0189d98b69eb2f1723ed577
Comment 22 BastJ 2021-02-18 11:57:08 MST 
Ok, thanks, testing on our systems now...  Looking good

-Jeff
Comment 23 BastJ 2021-02-18 11:58:34 MST 
Resolved