Bugzilla – Bug 311
AUTHSTATE environment variable issue on AIX
Last modified: 2008-11-05 19:20:19 MST
We just upgraded the sudo RPM on our AIX systems to the latest one available (sudo-1.6.9p15-2noldap) from the IBM AIX Toolbox. One thing we noticed is that the AUTHSTATE environment variable is passed through to the command environment ONLY when sudo prompts you for your password, as seen here: /home/richb> env | grep AUTH AUTHSTATE=LDAP /home/richb> sudo env | grep AUTH Password: AUTHSTATE=LDAP /home/richb> sudo env | grep AUTH /home/richb> sudo -k /home/richb> sudo env | grep AUTH Password: AUTHSTATE=LDAP /home/richb> sudo env | grep AUTH /home/richb> sudo grep AUTH /etc/sudoers Defaults env_delete=AUTHSTATE What is really interesting is that we have always had an env_delete=AUTHSTATE line in our sudoers file (since we DO NOT want AUTHSTATE passed through) but unfortunately it seems to be ignored in this version. I know that this version of sudo has the env_reset setting enabled by default so we really shouldn't need the env_delete=AUTHSTATE statement any more. I have tried the above scenario without the env_delete=AUTHSTATE in /etc/sudoers but the behavior is the same as above (i.e. any time sudo prompts for your password the AUTHSTATE environment variable appears in the command environment being executed by sudo). So this seems like a bug to me somewhere but I am not sure if it bug in sudo or in AIX. I was told that for the sudo package no modifications were required to compile for AIX. So I am trying to figure out where the issue may be.
It sounds like the AIX authenticatoin routines are setting this variable when the user is authenticated. Since this only happens when sudo prompts for a password that would match the behavior you are seeing. The environment modifications only affect the environment as it stands when sudo is invoked. That is, environment variables that are added during the invocation of sudo itself are not subject to env_delete, etc.
I think you are right. I wrote a little C program that calls the authenticate call (I am assuming sudo uses this even though I could not conclusively tell hunting through the source code) and afterwards it calls system("env|grep AUTH")and sure enough it messes with the AUTHSTATE environment if you have a successful authentication. Here is a sample: # unset AUTHSTATE # env | grep AUTH # /tmp/t myid good-passwd authenticate call rc = 0 AUTHSTATE=LDAP # /tmp/t myid bad-passwd authenticate call rc = 1 # So the assumption on the AIX authenticate call is that your want your authentication state (i.e. AUTHSTATE) to be what it would be for the user you are attempting authentication which is not true when using sudo. In the sudo case, you want your authentication state to match to the user you are going to run as. I am guessing that most of the time that the assumption for the AIX authenticate call to mess with AUTHSTATE is probably a good thing but not with sudo. I was going to call AIX support and see what they say but it not obvious to me what would be a good way to correct this.
I have done some more research and I have found out that it is documented that the AIX authenticate call will set the value of AUTHSTATE environment variable to be correct for the user that is being authenticated. This is documented here fro AIX 5.3: http://publib.boulder.ibm.com/infocenter/pseries/v5r3/topic/com.ibm.aix.basetechref/doc/basetrf1/authenticate.htm?resultof=%22%61%75%74%68%65%6e%74%69%63%61%74%65%22%20%22%61%75%74%68%65%6e%74%22%20 While this is documented behavior on AIX, it doesn't seem like the correct behavior for sudo on AIX since the value AUTHSTATE gets for the authenticated user might not match the run as user (and in my case it doesn't since our normal users use LDAP and root uses local files). I am correct in assuming sudo uses the authenticate call on AIX right? I also checked the difference in behavior between sudo v1.6.7p5 and the newer one v1.6.9p15 on the same system since I noticed the change in behavior after an AIX upgrade and a sudo upgrade. So keeping the AIX version constant and only changing the sudo version, the older sudo doesn't cause the AUTHSTATE variable to get set in any of the scenarios I tried. It will only pass through the value from the current environment (if not using env_reset and env_delete options). So something changed in the sudo code to cause this authenticate call behavior to now peek through. Was the authenticate call not used in v1.6.7p5? In any case, it would seem that sudo on AIX needs a modification to handle this "special" environment variable. I can see a few possibilities. 1) making env_delete option apply to environment variables introduced during the execution of sudo, 2) figure out how to calculate the correct AUTHSTATE value for the "run as" user, 3) just unset the AUTHSTATE variable after an authenticate call on AIX, or 4) allow a fixed value to be specified for an environment variable in /etc/sudoers. I honestly don't know what is the best general approach even though option 3 sounds easiest to me and would probably work for the majority of folks.
Environment handling has changed significantly between sudo 1.6.7 and 1.6.9. Previously, a copy was made of the initial environment, the env_* lists applied, and just before executing the command, the new environment was put in place. This meant that changes to the environment during sudo's execution were not preserved. However, that caused problems for some systems, so now changes to the environment made during sudo's execution are retained. I've modified auth/aix_auth.c to unsetenv AUTHSTATE after calling authenticate() which should solve the problem. The changes will be in the forthcoming sudo 1.6.9p18 as well as the sudo 1.7.0 release candidate.