Bug 337 – 0402-026 The specified data is not a valid identifier.

Bug 337 - 0402-026 The specified data is not a valid identifier.


Summary:	0402-026 The specified data is not a valid identifier.

Status:	RESOLVED INVALID

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.7.0
Hardware:	IBM AIX

Importance:	normal normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2009-02-25 12:38 MST by Andre Visperas
Modified:	2009-03-20 15:14 MDT (History)
CC List:	1 user (show)

See Also:

Attachments
*Syslog output for .debug** (30.94 KB, text/plain) 2009-02-25 12:38 MST, Andre Visperas	Details
patch to remove KRB5CCNAME from the environment (619 bytes, patch) 2009-02-25 17:25 MST, Todd C. Miller	Details \| Diff
patch to remove KRB5CCNAME from the environment (1.09 KB, patch) 2009-02-26 12:50 MST, Todd C. Miller	Details \| Diff
simple program to print out the environment (184 bytes, text/plain) 2009-02-27 15:11 MST, Todd C. Miller	Details
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andre Visperas 2009-02-25 12:38:56 MST

Created attachment 244 [details]
Syslog output for *.debug

I have created a one line script owned by root and with execute privs of root alone. The name of the script is andre_sudo_test. I have created sudo rules that will allow andre to execute this one line script.

logged on as root:

root@unixsvr [/tmp] 
# ls -l /var/opt/andre_sudo_test
-rwx------    1 root     system           22 Feb 25 11:21 /var/opt/andre_sudo_test
 
root@unixsvr [/tmp] 
# cat /var/opt/andre_sudo_test  
echo "WILDCARDS work"
 
root@unixsvr [/tmp] 
# 

Logged on as andre, I get a weird message:

andre@unixsvr [/home/andre/sudo-1.7.0] 
$ sudo /var/opt/andre_sudo_test  
Password:
 
ÁÈ^A: 0402-026 The specified data is not a valid identifier.
 
andre@unixsvr [/home/andre/sudo-1.7.0] 
$ sudo /var/opt/andre_sudo_test
WILDCARDS work
 
andre@unixsvr [/home/andre/sudo-1.7.0] 
$ 

Notice that when andre executes it again, it executes as expected.

I have attached the output of syslog with *.debug.

Any assistance would greatly be appreciated.

Thanks!

Comment 1 Todd C. Miller 2009-02-25 12:42:00 MST

I'd suggest making this a proper script by adding the shebang line.  ie:

#!/bin/sh
echo "WILDCARDS work"

and see if that makes any difference

Comment 2 Todd C. Miller 2009-02-25 12:55:52 MST

If the #!/bin/sh fails, also try with #!/bin/ksh

Comment 3 Andre Visperas 2009-02-25 17:06:22 MST

Todd, On the previous version of sudo(1.6.8p12) we did not have to add a shebang.

andre@unixsvr [/home/andre] 
$ ls -l /usr/bin/sudo* 
---s--x--x    1 root     system       197063 Feb 20 15:35 /usr/bin/sudo
---s--x--x    1 root     system       154883 Jan 30 2008  /usr/bin/sudo.backup
 
andre@unixsvr [/home/andre] 
$ sudo.backup -V
Sudo version 1.6.8p12
 
andre@unixsvr [/home/andre] 
$ sudo.backup -k                       
 
andre@unixsvr [/home/andre] 
$ sudo.backup /var/opt/andre_test_sudo
Password:
Sudo works
 
andre@unixsvr [/home/andre] 
$ sudo -k
 
andre@unixsvr [/home/andre] 
$ sudo /var/opt/andre_test_sudo       
Password:
 
ÁÈ^A: 0402-026 The specified data is not a valid identifier.
 
andre@unixsvr [/home/andre] 
$ sudo -V
Sudo version 1.7.0
 
andre@unixsvr [/home/andre] 
$ ls -l /var/opt/andre_test_sudo
-rwx------    1 root     system           19 Feb 24 15:38 /var/opt/andre_test_sudo
 
andre@unixsvr [/home/andre] 
$ 

Logged on as root, contents of andre_test_sudo is:

root@unixsvr [/var/opt] 
# cat /var/opt/andre_test_sudo
echo "Sudo works"
 
 
root@unixsvr [/var/opt] 
# 

We have the older version of sudo deployed to a lot of servers. We might have scripts out there that may not be properly written with a shebang. Is there a work around? Maybe a sudoers file config update?

Thanks for all the help.

Comment 4 Todd C. Miller 2009-02-25 17:20:44 MST

Do you have the KRB5CCNAME variable set in your environment?  It seems that sometimes this error can come about from a mismatched KRB5CCNAME.  It is possible that this is being set by the authentication and that is why it breaks when you are prompted for a password.

Comment 5 Todd C. Miller 2009-02-25 17:25:18 MST

Created attachment 245 [details]
patch to remove KRB5CCNAME from the environment

quick and dirty patch to test my theory

Comment 6 Andre Visperas 2009-02-26 12:13:58 MST

Todd, I got this error after adding the 2 lines when running the make.
.
.
.
gcc -o sudo gram.o alias.o alloc.o defaults.o error.o list.o match.o  toke.o redblack.o zero_bytes.o sudo_auth.o pam.o  aix.o check.o env.o  getspwuid.o gettime.o goodpath.o fileops.o find_path.o  interfaces.o lbuf.o logging.o parse.o pwutil.o set_perms.o  sudo.o sudo_edit.o sudo_nss.o tgetpass.o glob.o fnmatch.o memrchr.o strlcpy.o strlcat.o closefrom.o snprintf.o getprogname.o -Wl,-bI:./aixcrypt.exp  -lpam -ldl    
ld: 0711-317 ERROR: Undefined symbol: .sudo_unsetenv
ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information.
collect2: ld returned 8 exit status
make: 1254-004 The error code from the last command is 1.
 
 
Stop.

Did I miss anything? Thanks!

Comment 7 Todd C. Miller 2009-02-26 12:50:59 MST

Created attachment 246 [details]
patch to remove KRB5CCNAME from the environment

New version that compiles w/o LDAP or AIX auth

Comment 8 Todd C. Miller 2009-02-26 12:51:42 MST

I was assuming AIX auth was in use and so sudo_unsetenv would be available.  I've attached an updated patch that should work for you regardless.

Comment 9 Andre Visperas 2009-02-26 15:10:13 MST

Still getting the problem after implementing the patch.

andre@unixsvr [/home/andre] 
$ sudo /var/opt/R14562_test_sudo
Password:
 
Ã8^A: 0402-026 The specified data is not a valid identifier.
 
andre@unixsvr [/home/andre] 
$

Comment 10 Andre Visperas 2009-02-27 11:14:59 MST

Todd, Any other options you want me to try? Do you need any information that will help us figure out what is causing this. I updated env.c and sudo.c but the issue still exists. Let me know ... Thanks again!

Comment 11 Todd C. Miller 2009-02-27 15:11:47 MST

Created attachment 248 [details]
simple program to print out the environment

Comment 12 Todd C. Miller 2009-02-27 15:14:42 MST

Can you try compiling showenv.c (attached above) and redirect the output to a file both with and without sudo prompting for a password?  ie:

sudo -k
sudo ./showenv > a
sudo ./showenv > b
diff a b

The only thing I can think of is that there is something being added to the environment by the authentication process.

Which authentication method are you using, BTW?

Comment 13 Andre Visperas 2009-02-27 16:56:28 MST

We are using a Quest Software product called VAS. 

http://www.networkworld.com/newsletters/techexec/2005/0214techexec1.html

I will send you the output of my environment shortly.

Comment 14 Todd C. Miller 2009-02-27 17:17:00 MST

OK, so you are using their custom PAM module.

Comment 15 Andre Visperas 2009-02-28 01:34:28 MST

Todd, Your theory is correct the authentication process is adding something to the enivonment.

andre@unixsvr [/home/andre] 
$ sudo -k
 
andre@unixsvr [/home/andre] 
$ sudo /home/andre/showenv > /tmp/nopassword
 
andre@unixsvr [/home/andre] 
$ sudo -k                              
 
andre@unixsvr [/home/andre] 
$ sudo /home/andre/showenv > /tmp/withpassword 
Password:
 
andre@unixsvr [/home/andre] 
$ diff /tmp/nopassword /tmp/withpassword
34a35,36
>       
> ¨
 
andre@unixsvr [/home/andre] 
$ 

Thanks for your help.

Comment 16 Todd C. Miller 2009-02-28 20:05:42 MST

Can you give this a try and see if the results are the same?  ftp://ftp.sudo.ws/pub/millert/sudo/sudo-1.7.1p1.tar.gz

Comment 17 Andre Visperas 2009-03-03 09:20:13 MST

(In reply to comment #16)
> Can you give this a try and see if the results are the same? 
> ftp://ftp.sudo.ws/pub/millert/sudo/sudo-1.7.1p1.tar.gz

Looks like the compressed archive is empty. Can you check. Thanks again!

Comment 18 Todd C. Miller 2009-03-03 09:53:17 MST

Try this one: ftp://ftp.sudo.ws/pub/millert/sudo/sudo-1.7.1b1.tar.gz

Comment 19 Andre Visperas 2009-03-03 12:35:58 MST

It now give me this message:

/var/opt/quest/vas/authcache/vas_auth.vdb: 0402-026 The specified data is not a valid identifier.

instead of this:

ÁÈ^A: 0402-026 The specified data is not a valid identifier.

Thoughts?

Comment 20 Todd C. Miller 2009-03-08 17:43:12 MDT

Can you try the following, and run configure with --enabled-env-debug to see if it errors out?  I've added some checks that may help narrow down the problem.

http://sudo.ws/sudo/dist/beta/sudo-1.7.1b2.tar.gz

Comment 21 Andre Visperas 2009-03-12 10:27:07 MDT

I am unable to download the file through the link you have provided. When I invoke the file command on it, it give me an international language or data format for it. Let me know how to download it. Thanks for your help.

Comment 22 Todd C. Miller 2009-03-12 10:32:09 MDT

I don't know what the problem would be, but hopefully one of these will work for you:

ftp://ftp.sudo.ws/pub/sudo/beta/sudo-1.7.1b3.tar.gz
http://www.sudo.ws/sudo/dist/beta/sudo-1.7.1b3.tar.gz

Comment 23 Andre Visperas 2009-03-13 14:56:46 MDT

Todd, I am able to download properly now. Let me test and get back to you.

Comment 24 Andre Visperas 2009-03-20 15:07:32 MDT

After working with Quest support, they determined that the bug was on their side. It tooks a while but we got throught it.

Thanks for all the help!!!

Comment 25 Todd C. Miller 2009-03-20 15:14:10 MDT

Great, I'm closing this out then.