Bug 608 – sudo uses incorrect kerberos credential cache file, fails when configured for ldap on Cent 6

Bug 608 - sudo uses incorrect kerberos credential cache file, fails when configured for ldap on Cent 6


Summary:	sudo uses incorrect kerberos credential cache file, fails when configured for...

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.8.7
Hardware:	PC Linux

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-07-16 17:16 MDT by Ryanne Fox
Modified:	2013-09-30 09:32 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryanne Fox 2013-07-16 17:16:02 MDT

Reproduced with 1.8.7-1.el6 rpm from sudo website, and 1.8.6p3-7.el6 from cent-current.

[rfox@client PROD ~]$ /opt/likewise/bin/klist 
Ticket cache: FILE:/tmp/krb5cc_108139
Default principal: rfox@example.com

Valid starting     Expires            Service principal
07/16/13 15:50:32  07/17/13 01:50:32  krbtgt/example.com@example.com
	renew until 07/17/13 03:50:32
07/16/13 15:50:32  07/17/13 01:50:32  host/client.example.com@
	renew until 07/17/13 03:50:32
07/16/13 15:50:32  07/17/13 01:50:32  host/client.example.com@example.com
	renew until 07/17/13 03:50:32
07/16/13 14:20:54  07/17/13 00:20:31  ldap/dc001.example.com@example.com
	renew until 07/17/13 02:20:32
07/16/13 14:21:16  07/17/13 00:20:31  ldap/dc002.example.com@example.com
	renew until 07/17/13 02:20:32

[rfox@client PROD ~]$ id       
uid=108139(rfox) ...

[rfox@client PROD ~]$ sudo -l
sudo: ldap_sasl_interactive_bind_s(): Local error
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin

From /var/log/messages:
Jul 16 16:01:28 client sudo: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache file '/tmp/krb5cc_0' not found)

[rfox@client PROD ~]$ ln -s /tmp/krb5cc_108139 /tmp/krb5cc_0
[rfox@client PROD ~]$ sudo -l
[sudo] password for rfox: 
User rfox may run the following commands on this host:
    (root) ALL

Comment 1 Todd C. Miller 2013-07-22 16:39:23 MDT

I suspect this is because the sudoers LDAP code runs with real and effective UIDs set to zero.  What is the value of the KRB5CCNAME environment variable?

Comment 2 Ryanne Fox 2013-07-26 11:04:41 MDT

[rfox@client PROD ~]$ echo $KRB5CCNAME
FILE:/tmp/krb5cc_108139

Comment 3 Todd C. Miller 2013-07-29 12:53:23 MDT

Please try one of the sudo-1.8.7-2.el6 rpms from ftp://ftp.sudo.ws/pub/millert/sudo/ and let me know if that works for you.

Comment 4 Ryanne Fox 2013-07-29 16:57:18 MDT

Thank you for this patch.  I tested it out this afternoon.  It changed the behavior, but did not succeed.

With sudo-1.8.7-2.el6.x86_64

[rfox@client PROD ~]$ sudo -l
[sudo] password for rfox: 
User rfox is not allowed to run sudo on s2plpkiswapp01.

Creating a symlink to /tmp/krb5cc_0 still allows it to succeed.

Comment 5 Todd C. Miller 2013-07-30 15:36:28 MDT

I found a problem with the patch.  I've updated the packages at ftp://ftp.sudo.ws/pub/millert/sudo/ though it may be simpler for you to just update the /usr/libexec/sudo/sudoers.so file with sudoers.so.el6.i386 or sudoers.so.el6.x86_64

Comment 6 Ryanne Fox 2013-07-30 16:51:46 MDT

I'm afraid there's no difference in behavior from the last test.

Comment 7 Todd C. Miller 2013-07-31 16:14:10 MDT

There was an error in the last version.  Can you try just replacing sudoers.so with the new version from ftp://ftp.sudo.ws/pub/millert/sudo/?

Comment 8 Ryanne Fox 2013-08-01 12:38:44 MDT

The latest patch worked for me.  Thank you!

Comment 9 Todd C. Miller 2013-08-17 05:44:14 MDT

The fix is present in sudo 1.8.8b1, which available now.

Comment 10 Todd C. Miller 2013-09-30 09:32:57 MDT

Fixed in sudo 1.8.8