Bugzilla – Bug 262
Segmentation Fault - SUDO + LDAP
Last modified: 2007-09-20 08:04:31 MDT
I will provide my files for reference: Client: RHEL5 on zLinux (mbushozlwas6) Server: RHEL4 on zLinux (mbushozldap1) [root@mbushozlwas6 sudo-1.6.9p5]# sudo -V Sudo version 1.6.8p12 [root@mbushozlwas6 etc]# cat ldap.conf uri ldap://mbushozldap1.rs6k.intranet.mbusa.com/ base dc=mbusa,dc=com tls_cacertdir /etc/openldap/cacerts ssl start_tls pam_check_host_attr yes sudoers_base ou=SUDOers,dc=mbusa,dc=com sudoers_debug 2 pam_login_attribute uid [root@mbushozlwas6 etc]# cat /etc/openldap/ldap.conf #HOST mbushozldap1.rs6k.intranet.mbusa.com URI ldap://mbushozldap1.rs6k.intranet.mbusa.com/ #HOST 53.67.27.96 BASE dc=mbusa,dc=com TLS_CACERT /etc/openldap/cacerts/cacert.pem TLS_REQCERT allow I use this to test TLS and get my resultset back. [root@mbushozlwas6 etc]# cat /MBSYSMGR/checkSUDO.sh ldapsearch -v -x -b 'dc=mbusa,dc=com' '(&(objectClass=sudoRole)(sudoUser=oper026))' -ZZ yields [root@mbushozlwas6 etc]# checkSUDO.sh ldap_initialize( <DEFAULT> ) filter: (&(objectClass=sudoRole)(sudoUser=oper026)) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <dc=mbusa,dc=com> with scope subtree # filter: (&(objectClass=sudoRole)(sudoUser=oper026)) # requesting: ALL # # role1, SUDOers, mbusa.com dn: cn=role1,ou=SUDOers,dc=mbusa,dc=com cn: role1 sudoUser: oper026 sudoHost: mbushozlwas6.rs6k.intranet.mbusa.com objectClass: sudoRole objectClass: top description: role1 sudoCommand: /bin/date # role9, SUDOers, mbusa.com dn: cn=role9,ou=SUDOers,dc=mbusa,dc=com objectClass: sudoRole objectClass: top cn: role9 sudoUser: oper026 sudoHost: mbushozlwas6.rs6k.intranet.mbusa.com sudoCommand: !/bin/sh sudoCommand: /bin/ls # search result search: 3 result: 0 Success # numResponses: 3 # numEntries: 2 If I su to my LDAP useraccout . . . . [root@mbushozlwas6 etc]# su - oper026 and then -bash-3.1$ sudo -l LDAP Config Summary =================== uri ldap://mbushozldap1.rs6k.intranet.mbusa.com/ ldap_version 3 sudoers_base ou=SUDOers,dc=mbusa,dc=com binddn (anonymous) bindpw (anonymous) ssl start_tls =================== ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/openldap/cacerts") ldap_initialize(ld,ldap://mbushozldap1.rs6k.intranet.mbusa.com/) ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03) ldap_start_tls_s() ok ldap_bind() ok found:cn=defaults,ou=sudoers,dc=mbusa,dc=com Segmentation fault it finds the first entry and then gets the Segmentation fault?! The log stops writing - these are the last few lines Sep 19 22:56:12 mbushozldap1 slapd[6702]: => bdb_filter_candidates Sep 19 22:56:12 mbushozldap1 slapd[6702]: OR Sep 19 22:56:12 mbushozldap1 slapd[6702]: => bdb_list_candidates 0xa1 Sep 19 22:56:12 mbushozldap1 slapd[6702]: => bdb_filter_candidates Sep 19 22:56:12 mbushozldap1 slapd[6702]: EQUALITY Sep 19 22:56:12 mbushozldap1 slapd[6702]: <= bdb_filter_candidates: id=0 first=0 last=0 Sep 19 22:56:12 mbushozldap1 slapd[6702]: => bdb_filter_candidates Sep 19 22:56:12 mbushozldap1 slapd[6702]: EQUALITY Sep 19 22:56:12 mbushozldap1 slapd[6702]: <= bdb_filter_candidates: id=1 first=52 last=52 Sep 19 22:56:12 mbushozldap1 slapd[6702]: <= bdb_list_candidates: id=1 first=52 last=52 Sep 19 22:56:12 mbushozldap1 slapd[6702]: <= bdb_filter_candidates: id=1 first=52 last=52 Sep 19 22:56:12 mbushozldap1 slapd[6702]: <= bdb_list_candidates: id=1 first=52 last=52 Sep 19 22:56:12 mbushozldap1 slapd[6702]: <= bdb_filter_candidates: id=1 first=52 last=52 Sep 19 22:56:12 mbushozldap1 slapd[6702]: => test_filter Sep 19 22:56:12 mbushozldap1 slapd[6702]: EQUALITY Sep 19 22:56:12 mbushozldap1 slapd[6702]: <= test_filter 6 ------------------------------------ So now I'm desperate - If I wrap my sudoers_base parameter in quotes it does not create the Seg Fault and also does not get any results. [root@mbushozlwas6 etc]# su - oper026 -bash-3.1$ sudo -l LDAP Config Summary =================== uri ldap://mbushozldap1.rs6k.intranet.mbusa.com/ ldap_version 3 sudoers_base "ou=SUDOers,dc=mbusa,dc=com" binddn (anonymous) bindpw (anonymous) ssl start_tls =================== ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR,"/etc/openldap/cacerts") ldap_initialize(ld,ldap://mbushozldap1.rs6k.intranet.mbusa.com/) ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03) ldap_start_tls_s() ok ldap_bind() ok no default options found! ldap search '(|(sudoUser=oper026)(sudoUser=ALL))' nothing found for '(|(sudoUser=oper026)(sudoUser=ALL))' ldap search 'sudoUser=+*' nothing found for 'sudoUser=+*' user_matches=0 host_matches=0 sudo_ldap_check(50)=0x44 Password: Sorry, user oper026 may not run sudo on mbushozlwas6. -bash-3.1$ On the server I see Sep 19 22:48:23 mbushozldap1 slapd[6702]: do_search: invalid dn ("ou=SUDOers,dc=mbusa,dc=com") Sep 19 22:48:23 mbushozldap1 slapd[6702]: do_search: invalid dn ("ou=SUDOers,dc=mbusa,dc=com") Any support is appreciated! Thanks! Emmett o'Grady
Sorry for creating a bug report before trying the latest version. It appears to have solved the Segmentation Fault. I will join the mail list for updates! Thanks!!!!!!!!!!!!!!!!!!!!!!!!!! I'll leave the status as open and leave it up to you as to the status. Regards!!! [root@mbushozlwas6 sudo-1.7a1]# su - oper026 -bash-3.1$ /downloads/sudo-1.7a1/sudo -l LDAP Config Summary =================== uri ldap://mbushozldap1.rs6k.intranet.mbusa.com/ ldap_version 3 sudoers_base ou=SUDOers,dc=mbusa,dc=com binddn (anonymous) bindpw (anonymous) bind_timelimit -1 timelimit -1 ssl start_tls use_sasl -1 sasl_auth_id (NONE) rootuse_sasl -1 rootsasl_auth_id (NONE) sasl_secprops (NONE) krb5_ccname (NONE) =================== ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR, "/etc/openldap/cacerts") sudo: ldap_initialize(ld,ldap://mbushozldap1.rs6k.intranet.mbusa.com/) ldap_set_option(LDAP_OPT_PROTOCOL_VERSION, 3) sudo: ldap_start_tls_s() ok sudo: ldap_bind() ok sudo: found:cn=defaults,ou=sudoers,dc=mbusa,dc=com sudo: ldap sudoOption: 'ignore_dot' sudo: ldap sudoOption: '!mail_no_user' sudo: ldap sudoOption: '!root_sudo' sudo: ldap sudoOption: 'log_host' sudo: ldap sudoOption: 'logfile=/var/log/sudolog' sudo: ldap sudoOption: '!syslog' sudo: ldap sudoOption: 'timestamp_timeout=10' sudo: ldap sudoHost 'mbushozlwas6.rs6k.intranet.mbusa.com' ... not sudo: ldap sudoHost 'mbushozlwas6.rs6k.intranet.mbusa.com' ... not sudo: user_matches=1 sudo: host_matches=0 sudo: sudo_ldap_check(51)=0x84 Password: Sorry, user oper026 may not run sudo on mbushozlwas6.
Glad to hear that 1.7a1 works for you but have you tried sudo 1.6.9p5 as well?
Version 1.6.95 is good too! Nice! Would you recommend the 1.6.95 version over 1.7a? Thanks! [root@mbushozlwas6 sudo-1.6.9p5]# chmod 4755 sudo [root@mbushozlwas6 sudo-1.6.9p5]# su - oper026 -bash-3.1$ /downloads/sudo-1.6.9p5/sudo --help sudo: please use single character options LDAP Config Summary =================== uri ldap://mbushozldap1.rs6k.intranet.mbusa.com/ ldap_version 3 sudoers_base ou=SUDOers,dc=mbusa,dc=com binddn (anonymous) bindpw (anonymous) bind_timelimit -1 timelimit -1 ssl start_tls =================== ldap_set_option(LDAP_OPT_X_TLS_CACERTDIR, "/etc/openldap/cacerts") sudo: ldap_initialize(ld,ldap://mbushozldap1.rs6k.intranet.mbusa.com/) ldap_set_option(LDAP_OPT_PROTOCOL_VERSION, 3) sudo: ldap_start_tls_s() ok sudo: ldap_bind() ok sudo: found:cn=defaults,ou=sudoers,dc=mbusa,dc=com sudo: ldap sudoOption: 'ignore_dot' sudo: ldap sudoOption: '!mail_no_user' sudo: ldap sudoOption: '!root_sudo' sudo: ldap sudoOption: 'log_host' sudo: ldap sudoOption: 'logfile=/var/log/sudolog' sudo: ldap sudoOption: '!syslog' sudo: ldap sudoOption: 'timestamp_timeout=10' sudo: ldap search '(|(sudoUser=oper026)(sudoUser=ALL))' sudo: found:cn=role1,ou=SUDOers,dc=mbusa,dc=com sudo: ldap sudoHost 'ALL' ... MATCH! sudo: ldap sudoCommand '/bin/date' ... not sudo: found:cn=role9,ou=SUDOers,dc=mbusa,dc=com sudo: ldap sudoHost 'mbushozlwas6.rs6k.intranet.mbusa.com' ... MATCH! sudo: ldap sudoCommand '!su' ... not sudo: ldap search 'sudoUser=+*' sudo: user_matches=-1 sudo: host_matches=-1 sudo: sudo_ldap_check(0)=0x04 usage: sudo -h | -K | -k | -L | -l | -V | -v usage: sudo [-bEHPS] [-p prompt] [-u username|#uid] [VAR=value] {-i | -s | <command>} usage: sudo -e [-S] [-p prompt] [-u username|#uid] file ... -bash-3.1$
I would recommend the 1.6.9 release for now since 1.7 is still in alpha.