Bug 217 - in sudo.c, calling zero_env breaks later calls to getpwuid(getuid()) for LDAP accounts
in sudo.c, calling zero_env breaks later calls to getpwuid(getuid()) for LDAP...
Status: RESOLVED FIXED
Product: Sudo
Classification: Unclassified
Component: Sudo
1.6.8
PC FreeBSD
: normal normal
Assigned To: Todd C. Miller
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-08-02 13:46 MDT by Patrick Wolfe
Modified: 2007-06-19 13:54 MDT (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Patrick Wolfe 2006-08-02 13:46:37 MDT
Our network uses LDAP login authentication.  It's working fine on CentOS 4.3,
FreeBSD 5.4 and FreeBSD 6.1, except on the FreeBSD boxes, sudo V1.6.8p12 (from
the ports tree) only works if the user has an entry in the local password file.

I did some troubleshooting, and discovered that if I modify file sudo.c to call
getpwuid(getuid()) before the line "environ = zero_env(envp);" (near line 174),
sudo now works for ldap accounts.  Strange.  It acts like the zero_env routine
is stomping on the stack somewhere.

I searched for the "environ" variable, which is assigned the return value of
zero_env, and it also appears that line 174 of sudo.c, "environ =
zero_env(envp);", is not needed at all, since the value of environ is never used
before it's replaced later on (line 414) in the main() routine.  Commenting out
the call to zero_env at line 174 solves my problem with LDAP users not being
able to use sudo.

If this routine is not really needed, why not just remove it?  If it is needed,
please find and fix whatever it's doing to the stack, or whatever is causing it
to break getpwuid.

I'm available to run tests for you, if you don't have access to an LDAP
environment to test changes you want to make.

Thank you
Comment 1 Todd C. Miller 2006-08-02 14:41:29 MDT
"environ" is a pointer to the process's environment.  Sudo uses a minimal 
environment to prevent its execution from being modified by any of the various 
environment variables that affect libc (and other) functions.

From what you describe it sounds like there is a variable in your environment 
that is required for LDAP authentication to succeed.  If you can find what that 
is we should be able to craft a workaround.
Comment 2 Todd C. Miller 2007-06-19 12:33:14 MDT
With sudo 1.6.9 and higher the environment handling is rather different and I believe this issue has now been fixed.  You can download beta versions of sudo from http://www.sudo.ws/sudo/beta.html
Comment 3 Patrick Wolfe 2007-06-19 13:54:37 MDT
I have tested this on both CentOS 4 and FreeBSD 6.2 and confirmed that this bug is fixed.