Bugzilla – Bug 1060
intercept causes password prompt on RHEL6
Last modified: 2023-11-06 11:18:43 MST
I know this is an old system, but we still have a couple of them left. I recently loaded this system with the prebuilt package for RHEL6 from www.sudo.ws. What happens is when I add "Defaults intercept" to /etc/sudoers all users are hit with a password prompt that doesn't work. In syslog I find: Oct 24 06:56:41 system01 sudo: pam_unix(sudo:auth): conversation failed Oct 24 06:56:41 system01 sudo: pam_unix(sudo:auth): auth could not identify password for [user01] Oct 24 06:56:41 system01 sudo: user01 : command not allowed ; TTY=pts/3 ; PWD=/home/user01 ; USER=root ; COMMAND=/bin/su - First I try it with intercept in effect: [user01@system01 ~]$ sudo -l Matching Defaults entries for user01 on system01: env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="QTDIR KDEDIR", log_output, maxseq=100000, ignore_iolog_errors, log_subcmds, intercept Runas and Command-specific defaults for user01: Defaults!/usr/bin/sudoreplay !log_output Defaults!REBOOT !log_output User user01 may run the following commands on system01: (ALL) NOPASSWD: ALL (root) NOPASSWD: /usr/bin/diff, /usr/bin/lastlog, sudoedit, /bin/vi, /bin/rm, /bin/cp, /usr/bin/find, /sbin/chkconfig, /usr/bin/tail, /bin/ls *, /usr/sbin/vipw, /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /usr/sbin/groupadd, /usr/sbin/groupdel, /usr/sbin/groupmod, /usr/bin/chage, /usr/bin/passwd, /bin/cat, /bin/chown, /bin/chmod, /bin/chgrp, /usr/bin/getfacl, /usr/bin/setfacl, /usr/sbin/visudo, /usr/sbin/pwconv, /bin/grep, /bin/mkdir, /bin/rmdir, /sbin/pam_tally2 [user01@system01 ~]$ sudo su - We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. For security reasons, the password you type will not be visible. [sudo] password for user01: sudo: a password is required Next I try it without intercept: [user01@system01 ~]$ sudo -l Matching Defaults entries for user01 on system01: env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="QTDIR KDEDIR", log_output, maxseq=100000, ignore_iolog_errors, log_subcmds Runas and Command-specific defaults for user01: Defaults!/usr/bin/sudoreplay !log_output Defaults!REBOOT !log_output User user01 may run the following commands on system01: (ALL) NOPASSWD: ALL (root) NOPASSWD: /usr/bin/diff, /usr/bin/lastlog, sudoedit, /bin/vi, /bin/rm, /bin/cp, /usr/bin/find, /sbin/chkconfig, /usr/bin/tail, /bin/ls *, /usr/sbin/vipw, /usr/sbin/useradd, /usr/sbin/usermod, /usr/sbin/userdel, /usr/sbin/groupadd, /usr/sbin/groupdel, /usr/sbin/groupmod, /usr/bin/chage, /usr/bin/passwd, /bin/cat, /bin/chown, /bin/chmod, /bin/chgrp, /usr/bin/getfacl, /usr/bin/setfacl, /usr/sbin/visudo, /usr/sbin/pwconv, /bin/grep, /bin/mkdir, /bin/rmdir, /sbin/pam_tally2 [user01@system01 ~]$ sudo su - [root@system01 ~]# Now some info about the system: [root@system01 ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.10 (Santiago) [root@system01 ~]# sudo -V Sudo version 1.9.14p3 Configure options: --prefix=/usr --with-logging=syslog --with-logfac=authpriv --with-pam --enable-zlib=system --with-editor=/bin/vi --with-env-editor --with-ignore-dot --with-ldap --with-passprompt=[sudo] password for %p: --with-sendmail=/usr/sbin/sendmail --enable-warnings --cache-file=../config.cache --enable-package-build --with-selinux --with-linux-audit --with-pam-login --with-sssd --with-sssd-lib=/usr/lib64 --with-ldap-conf-file=/etc/sudo-ldap.conf --enable-openssl --enable-python --disable-tmpfiles.d Sudoers policy plugin version 1.9.14p3 Sudoers file grammar version 50 Sudoers path: /etc/sudoers nsswitch path: /etc/nsswitch.conf ldap.conf path: /etc/sudo-ldap.conf ldap.secret path: /etc/ldap.secret Authentication methods: 'pam' Syslog facility if syslog is being used for logging: authpriv Syslog priority to use when user authenticates successfully: notice Syslog priority to use when user authenticates unsuccessfully: alert Ignore '.' in $PATH Send mail if the user is not in sudoers Lecture user the first time they run sudo Require users to authenticate by default Root may run sudo Allow some information gathering to give useful error messages Visudo will honor the EDITOR environment variable Set the LOGNAME and USER environment variables Length at which to wrap log file lines (0 for no wrap): 80 Authentication timestamp timeout: 5.0 minutes Password prompt timeout: 5.0 minutes Number of tries to enter a password: 3 Umask to use or 0777 to use user's: 022 Path to mail program: /usr/sbin/sendmail Flags for mail program: -t Address to send mail to: root Subject line for mail messages: *** SECURITY information for %h *** Incorrect password message: Sorry, try again. Path to lecture status dir: /var/db/sudo/lectured Path to authentication timestamp dir: /var/run/sudo/ts Default password prompt: [sudo] password for %p: Default user to run commands as: root Path to the editor for use by visudo: /bin/vi When to require a password for 'list' pseudocommand: any When to require a password for 'verify' pseudocommand: all File descriptors >= 3 will be closed before executing a command Reset the environment to a default set of variables Environment variables to check for safety: TZ TERM LINGUAS LC_* LANGUAGE LANG COLORTERM Environment variables to remove: *=()* RUBYOPT RUBYLIB PYTHONUSERBASE PYTHONINSPECT PYTHONPATH PYTHONHOME TMPPREFIX ZDOTDIR READNULLCMD NULLCMD FPATH PERL5DB PERL5OPT PERL5LIB PERLLIB PERLIO_DEBUG JAVA_TOOL_OPTIONS SHELLOPTS BASHOPTS GLOBIGNORE PS4 BASH_ENV ENV TERMCAP TERMPATH TERMINFO_DIRS TERMINFO _RLD* LD_* PATH_LOCALE NLSPATH HOSTALIASES RES_OPTIONS LOCALDOMAIN CDPATH IFS Environment variables to preserve: KDEDIR QTDIR _XKB_CHARSET LC_* LINGUAS LANGUAGE LANG XDG_CURRENT_DESKTOP XAUTHORIZATION XAUTHORITY PS2 PS1 PATH LS_COLORS KRB5CCNAME HOSTNAME DISPLAY COLORS Locale to use while parsing sudoers: C Log the output of the command being run Log the command's standard output if not connected to a terminal Log the command's standard error if not connected to a terminal Log the terminal output of the command being run Compress I/O logs using zlib Always run commands in a pseudo-tty Directory in which to store input/output logs: /var/log/sudo-io File in which to store the input/output log: %{seq} Add an entry to the utmp/utmpx file when allocating a pty PAM service name to use: sudo PAM service name to use for login shells: sudo-i Attempt to establish PAM credentials for the target user Create a new PAM session for the command to run in Perform PAM account validation management Maximum I/O log sequence number: 100000 Enable sudoers netgroup support Check parent directories for writability when editing files with sudoedit Allow commands to be run even if sudo cannot write to the audit log Allow commands to be run even if sudo cannot write to the I/O log Allow commands to be run even if sudo cannot write to the log file Log entries larger than this value will be split into multiple syslog messages: 960 File mode to use for the I/O log files: 0600 Execute commands by file descriptor instead of by path: digest_only Type of authentication timestamp record: tty Ignore case when matching user names Ignore case when matching group names Log when a command is allowed by sudoers Log when a command is denied by sudoers Sudo log server timeout in seconds: 30 Enable SO_KEEPALIVE socket option on the socket connected to the logserver Verify that the log server's certificate is valid Set the pam remote user to the user running sudo The format of logs to produce: sudo Enable SELinux RBAC support Log sub-commands run by the original command The largest size core dump file that may be created (in bytes): 0,0 Store plaintext passwords in I/O log input List of regular expressions to use when matching a password prompt [Pp]assword[: ]* The mechanism used by the intercept and log_subcmds options: dso Attempt to verify the command and arguments after execution Local IP address and netmask pairs: 10.47.2.86/255.255.255.0 10.47.241.192/255.255.255.0 fe80::250:56ff:fe96:4337/ffff:ffff:ffff:ffff:: fe80::250:56ff:fe96:4338/ffff:ffff:ffff:ffff:: Sudoers I/O plugin version 1.9.14p3 Sudoers audit plugin version 1.9.14p3 [root@system01 ~]#
That's very strange, do you have the same problem with just "log_subcmds"? I was unable reproduce this on a CentOS 6.5 VM but I'll try with 6.10 soon and see if that makes a difference.
/etc/sudo_logsvcd.conf is unmodified here is /etc/sudoers: [root@system01 ~]# cat /etc/sudoers | grep -v '^#' | grep -v '^$' Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" Defaults env_keep += "QTDIR KDEDIR" Defaults log_output Defaults:user02 !log_output Defaults:user03 !log_output Defaults:user04 !log_output Defaults!/usr/bin/sudoreplay !log_output Defaults!REBOOT !log_output Defaults maxseq = 100000 Defaults ignore_iolog_errors Defaults log_subcmds root ALL=(ALL:ALL) ALL %wheel ALL=(ALL:ALL) ALL @includedir /etc/sudoers.d [root@system01 ~]# As I was trying to solve this I played with pam. Even tried "auth sufficient pam_permit.so" in /etc/pam.d/sudo. That just resulted in three failed passwords without touching the keyboard.
Sorry, I didn't notice that CentOS 6 was using the DSO method of intercept. In this mode, sudo will refuse to run setuid binaries by default. If you add: Defaults intercept_allow_setid to your sudoers file then users should be able to run "sudo su -". By default, sudo will disallow running a setuid program in intercept mode when intercept_type is dso. This is because the dynamic loaded will clear the LD_PRELOAD environment variable when a setuid program is executed, meaning that sudo's intercept mode cannot work for sub-commands of that setuid command. I was able to reproduce the problem you see with 1.9.14p3 where the user is prompted for a password that is never accepted. In sudo 1.9.15 the use is still prompted for a password but it is be accepted normally. Unfortunately, there is currently no indication to the user why the command is rejected. It would probably be better to move the setuid check to be later so the user can receive a better error message than the generic "Sorry, user foo is not allowed to execute '/bin/su' as root on centos6".
Sudo 1.9.15 is now released which changes how setuid/setgid commands are rejected by sudo. Instead of being silently denied during the policy lookup, the check is now performed after the main policy check (which includes things like NOPASSWD handling). You now get an error that looks like this: $ sudo su - sudo: setid commands are not permitted in intercept mode A search for "setid" in the sudoers manual will get you to the "intercept_allow_setid" setting. Hopefully that will make it easier to understand the cause of the rejection.