Bugzilla – Bug 255
segfault in HEAD with krb5_ccname and using sudo_setenv method
Last modified: 2008-03-03 09:57:53 MST
In HEAD when using sudo_setenv() to set KRB5CCNAME sudo is segfaulting and is reproducible on FreeBSD and Linux. The bactrace I received simply indicated a crash in strncmp(). The offending code is in env.c's insert_env(): if (dupcheck) { varlen = (strchr(str, '=') - str) + 1; for (nep = env.envp; *nep; nep++) { ==> if (strncmp(str, *nep, varlen) == 0) { *nep = str; return; } } After adding a printf() to figure out which environmental variable is causing this I get the following: [tom@releng-7-fbsd sudo-devel]$ sudo -l LDAP Config Summary =================== uri ldap://shorthair.straycat.dhs.org ldap_version 3 sudoers_base ou=Sudoers,dc=straycat,dc=dhs,dc=org binddn (anonymous) bindpw (anonymous) bind_timelimit -1 timelimit -1 ssl start_tls use_sasl 1 sasl_auth_id (NONE) rootuse_sasl -1 rootsasl_auth_id (NONE) sasl_secprops (NONE) krb5_ccname /usr/local/etc/.ldapcache =================== ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE, "/etc/ssl/straycat.crt") sudo: ldap_initialize(ld,ldap://shorthair.straycat.dhs.org) ldap_set_option(LDAP_OPT_PROTOCOL_VERSION, 3) sudo: ldap_start_tls_s() ok *nep = bfbfecfc (_=/usr/local/bin/sudo) *nep = bfbfed12 (SSH_CONNECTION=192.168.1.127 59783 192.168.1.73 22) *nep = bfbfed45 (PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/games:/usr/ports/Tools/scripts) *nep = bfbfedab (SHELL=/usr/local/bin/ksh) *nep = bfbfedc4 (EDITOR=vim) *nep = bfbfedcf (BLOCKSIZE=K) Segmentation fault (core dumped) [tom@releng-7-fbsd sudo-devel]$ env _=/usr/bin/env SSH_CONNECTION=192.168.1.127 59783 192.168.1.73 22 PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/games:/usr/ports/Tools/scripts SHELL=/usr/local/bin/ksh EDITOR=vim BLOCKSIZE=K JAILED=1 USER=tom SSH_CLIENT=192.168.1.127 59783 22 JAILMJVER=7 TERM=xterm PACKAGESITE=http://ftp.straycat.dhs.org/tb/packages/7-i386-FreeBSD/Latest/ FTP_PASSIVE_MODE=YES __MAKE_CONF=/home/tom/src/etc/make.conf LOGNAME=tom KRB5CCNAME=FILE:/tmp/krb5cc_sCQKJt SSH_TTY=/dev/ttyp0 ENV=/home/tom/.kshrc CVSEDITOR=vim JAILNAME=fbsd MAIL=/var/mail/tom DISPLAY=bofh:0 HOME=/home/tom PWD=/home/tom/src/FREEBSD/ports/security/sudo-devel PAGER=more CDIFFCOLORS=93:91:96:41:1:1;31 On my Linux box I see a slightly different result though: *nep = bfccdba5 (HOSTNAME=centos.straycat.dhs.org) *nep = bfccdbc6 (SHELL=/bin/bash) *nep = bfccdbd6 (TERM=vt220) *nep = bfccdbe1 (HISTSIZE=500) *nep = bfccdbee (SSH_CLIENT=192.168.1.127 55090 22) *nep = bfccdc10 (SSH_TTY=/dev/pts/1) Segmentation fault HOSTNAME=centos.straycat.dhs.org SHELL=/bin/bash TERM=vt220 HISTSIZE=500 SSH_CLIENT=192.168.1.127 55090 22 SSH_TTY=/dev/pts/1 USER=tom LS_COLORS=no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35: CDIFFCOLORS=93:91:96:41:1:1;31 PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin:/usr/X11R6/sbin:/usr/kerberos/sbin:/usr/kerberos/bin MAIL=/var/spool/mail/tom PWD=/home/tom/src/sudo-1.7 INPUTRC=/etc/inputrc EDITOR=vim LANG=en_US.UTF-8 KRB5CCNAME=FILE:/tmp/krb5cc_10001_mReEr19811 HOME=/home/tom SHLVL=1 LOGNAME=tom SSH_CONNECTION=192.168.1.127 55090 192.168.1.51 22 LESSOPEN=|/usr/bin/lesspipe.sh %s CVSEDITOR=vim G_BROKEN_FILENAMES=1 _=/bin/env OLDPWD=/home/tom
I fixed the sudo_setenv bug in HEAD, however, I would have expected sudo to use gss_krb5_ccache_name() on FreeBSD. Can you check whether configure finds gss_krb5_ccache_name() in libgssapi?
FreeBSD's Heimdal in base is pretty crufty and lingering on 0.6.x so gss_krb5_ccache_name() isn't present. I have to test sudo again after installing the Heimdal port which is 0.7.2. On the CentOS 5 box with MIT's 1.5 it didn't pick up gss_krb5_ccache_name() though it is there. Going to look at that too.
I just committed a fix to configure that should allow gss_krb5_ccache_name() to be found on Centos -- it works for me on Fedora 7.
Hi Todd, the patch works great. Both the sudo_setenv() and gss_krb5_ccache_name() methods work fine except when sasl_auth_id is set. (So far I haven't found a tool to decrypt GSSAPI conversations so I can compare nss_ldap's traffic with sudo's to look for any differences.) I did find a corner case however and not sure how you want to handle this. If nss_ldap is built using the --enable-configurable-krb5-ccname-env configurable and sudo finds gss_krb5_ccache_name() some breakage occurred. I get this via syslog for users other than root: sudo: GSSAPI Error: Miscellaneous failure (see text) (open(/tmp/krb5cc_<uid>): No such file or directory). On FreeBSD we use --enable-configurable-krb5-ccname-env for nss_ldap because --enable-configurable-krb5-ccname-gssapi requires the heimdal or MIT port to be installed and doing so causes random application breakage when apps or libs are compiled against different krb5 versions due to some incompatibilities. Could the ccname method become a configurable? Also, I don't know if it's just us or if it's a not to out of the ordinary practice to sometimes have a second newer krb5 implementation installed. Is it worth adding a --with-gssapi-dir configure switch to force sudo to build against one implementation or another? I'm not to familiar with commercial *nixes so I'm not sure how people with older OSes deal with the need for a newer krb5 or if that really comes up.
I've changed how the LDAP options are being set which might fix the sasl_auth_id case. If you could test ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7a3.tar.gz and report back that would be great.
The LDAP code has undergone further cleanup. If you could test sudo 1.7b1 from ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.b1.tar.gz and report back that would be great.
Sorry, was a little distracted for a bit but I just tried this with 1.7b2 and the problem is still there when PADL's nss_ldap is built with the --enable-configurable-krb5-ccname-env configure option and sudo finds gss_krb5_ccache_name() to be available. Feb 10 16:12:57 releng-7-fbsd sudo: GSSAPI Error: Miscellaneous failure (see text) (open(/tmp/krb5cc_0): No such file or directory) Do you want a patch which allows people to configure the method used to change the credentials cache so it will match the method used by nss_ldap?
Does it work properly if you comment out the #define HAVE_GSS_KRB5_CCACHE_NAME 1 line in config.h?
It works just fine then.
I took a look at how gss_krb5_ccache_name() works and I don't see an obvious problem. It may be that gss_krb5_ccache_name() doesn't work correctly for some combinations of Heimdal and OpenLDAP. I've added a --enable-gss-krb5-ccache-name configure option to enable the use of gss_krb5_ccache_name() and just default to using the environment variable. That should work around the issue for now.