Bugzilla – Bug 960
Upon upgrading TCMsudo on solaris 10 to version 1.9.5p2,fails
Last modified: 2021-09-11 15:58:47 MDT
After upgrading, a user types sudo su -, errors saying user not found. It's like as if this version is not looking at the /etc/sudoers file. root # sudo su - Feb 5 13:24:40 uxtst204 sudo: [ID 183074 auth.alert] root : user NOT in sudoers ; HOST=uxtst204 ; TTY=pts/1 ; PWD=/var/tmp ; USER=root ; COMMAND=/usr/bin/su - root is not in the sudoers file. This incident will be reported. I upgraded from 1.8.22. If I pkgrm, then pkgadd the old version it works fine.
Unfortunately, I no longer have a Solaris 10 SPARC system to test on so the SPARC packages are cross-compiled. It is possible that there is a configure-related issue when cross-compiling (the Solaris 10 Intel package does work). I can use the gcc compile farm infrastructure to build Solaris 10/SPARC packages, which is what I do for Solaris 11. Can you try one of the following packages and see if it works for you? https://www.sudo.ws/dist/packages/1.9.5p2/TCMsudo-1.9.5p2-sol10.sparc.pkg.gz https://www.sudo.ws/dist/packages/1.9.5p2/TCMsudo-ldap-1.9.5p2-sol10.sparc.pkg.gz
Not has same issue. Interesting though, I downloaded the CSWsudo from Opencsw and that works fine. it's version 1.9.4
Strange. Just to verify, here are the md5 checksums for the updated versions: TCMsudo-1.9.5p2-sol10.sparc.pkg.gz f9159d5bb8ae6cba03a50155db3dd068 TCMsudo-ldap-1.9.5p2-sol10.sparc.pkg.gz 0908bcb5d4bc82d73aafdb9c90dec322
If you were using the Opencsw version of sudo it probably has a different path to the sudoers file. The TCMsudo packages from sudo.ws use /etc/sudoers, not /opt/csw/etc/sudoers. Maybe that is the problem?
I was always using your TCMsudo with /etc/sudoers Checksums match my downloaded files
How is the path to /etc/sudoers configured? it seems that this version is not using the /etc/sudoeres file, thus indicating my userid is not in the sudoers file, but in fact it is... uxtst204:/opt/toolbox/admin/c01393 root # su - c01393 -bash-3.2$ /usr/local/bin/sudo su - We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. Enter the password for c01393 : c01393 is not in the sudoers file. This incident will be reported. Feb 5 16:21:36 uxtst204 sudo: [ID 183074 auth.alert] c01393 : user NOT in sudoers ; HOST=uxtst204 ; TTY=pts/1 ; PWD=/home/c01393 ; USER=root ; COMMAND=/usr/bin/su - -bash-3.2$
Checking the /etc/sudoers file, my id is in there root # grep c01393 /etc/sudoers User_Alias GROUP_SUDO_IT_HPS_UNIX_TEAM=d31695,k68297,v98856,j06440,c84521,c01393,v00513,v14703,c05177,v02851
If you run "sudo -V | grep "Sudoers path" it should show: Sudoers path: /etc/sudoers
uxtst204:/ root # pkginfo TCMsudo application TCMsudo sudo 1.9.5p2 uxtst204:/ root # sudo -V | grep "Sudoers path" Sudoers path: /etc/sudoers uxtst204:/ root # sudo su - root is not in the sudoers file. This incident will be reported. uxtst204:/ root # su - c01393 -bash-3.2$ /usr/local/bin/sudo su - Enter the password for c01393 : c01393 is not in the sudoers file. This incident will be reported. Feb 6 11:20:45 uxtst204 last message repeated 1 time Feb 6 11:22:00 uxtst204 sudo: [ID 183074 auth.alert] c01393 : user NOT in sudoers ; HOST=uxtst204 ; TTY=pts/1 ; PWD=/home/c01393 ; USER=root ; COMMAND=/usr/bin/su -
In the sudo -V output, there are some differences in the following, but not sure if that is the issue? uxtst203:/ root # sudo -V Sudo version 1.8.22 Configure options: --with-insults=disabled --with-logging=syslog --with-logfac=auth --with-editor=/usr/bin/vim:/usr/bin/vi:/bin/vi --with-env-editor --build=i386-pc-solaris2.11 --host=sparc-sun-solaris2.10 --with-project --disable-tmpfiles.d Sudoers policy plugin version 1.8.22 Sudoers file grammar version 46 Sudoers path: /etc/sudoers uxtst204:/ root # sudo -V Sudo version 1.9.5p2 Configure options: --with-insults=disabled --with-logging=syslog --with-logfac=auth --with-editor=/usr/bin/vim:/usr/bin/vi:/bin/vi --with-env-editor --enable-warnings --disable-hardening --enable-package-build --with-project --disable-tmpfiles.d Sudoers policy plugin version 1.9.5p2 Sudoers file grammar version 48 Sudoers path: /etc/sudoers
I don't see any configure options that would explain the difference in behavior. I could try building sudo with the Solaris compiler instead of gcc but that shouldn't really make a difference. You can enable the debug log in /etc/sudo.conf which may give some insight into what is going wrong. The following in /etc/sudo.conf will log a lot of details: Debug sudoers.so /var/log/sudoers_debug all@debug Whereas the following will only log things related to matching in sudoers (which is probably all you need) Debug sudoers.so /var/log/sudoers_debug match@debug In addition to logging the function calls there will be info on user and command matches in the log file. E.g. user millert matches sudoers user millert: true @ userpw_matches() ... user command "/usr/bin/id" matches sudoers command "/bin/ksh", chroot /var/www: false @ command_matches()
Here's what the log is showing. uxtst204:/var/log root # cat sudoers_debug Feb 8 14:20:24 sudo[14141] -> runas_getgroups @ ./match.c:132 Feb 8 14:20:24 sudo[14141] <- runas_getgroups @ ./match.c:141 := 6c748 Feb 8 14:20:24 sudo[14141] -> runas_getgroups @ ./match.c:132 Feb 8 14:20:24 sudo[14141] <- runas_getgroups @ ./match.c:141 := 6c748 Feb 8 14:20:24 sudo[14141] -> userlist_matches @ ./match.c:119 Feb 8 14:20:24 sudo[14141] -> user_matches @ ./match.c:75 Feb 8 14:20:24 sudo[14141] -> userlist_matches @ ./match.c:119 Feb 8 14:20:24 sudo[14141] -> user_matches @ ./match.c:75 Feb 8 14:20:24 sudo[14141] -> userpw_matches @ ./match.c:454 Feb 8 14:20:24 sudo[14141] user root matches sudoers user dummy: false @ userpw_matches() ./match.c:470 Feb 8 14:20:24 sudo[14141] <- userpw_matches @ ./match.c:471 := false Feb 8 14:20:24 sudo[14141] <- user_matches @ ./match.c:106 := -1 Feb 8 14:20:24 sudo[14141] <- userlist_matches @ ./match.c:125 := -1 Feb 8 14:20:24 sudo[14141] <- user_matches @ ./match.c:106 := -1 Feb 8 14:20:24 sudo[14141] <- userlist_matches @ ./match.c:125 := -1 Feb 8 14:20:58 sudo[14355] -> runas_getgroups @ ./match.c:132 Feb 8 14:20:58 sudo[14355] <- runas_getgroups @ ./match.c:141 := 6c6b8 Feb 8 14:20:58 sudo[14355] -> runas_getgroups @ ./match.c:132 Feb 8 14:20:58 sudo[14355] <- runas_getgroups @ ./match.c:141 := 6c6b8 Feb 8 14:20:58 sudo[14355] -> userlist_matches @ ./match.c:119 Feb 8 14:20:58 sudo[14355] -> user_matches @ ./match.c:75 Feb 8 14:20:58 sudo[14355] -> userlist_matches @ ./match.c:119 Feb 8 14:20:58 sudo[14355] -> user_matches @ ./match.c:75 Feb 8 14:20:58 sudo[14355] -> userpw_matches @ ./match.c:454 Feb 8 14:20:58 sudo[14355] user c01393 matches sudoers user dummy: false @ userpw_matches() ./match.c:470 Feb 8 14:20:58 sudo[14355] <- userpw_matches @ ./match.c:471 := false Feb 8 14:20:58 sudo[14355] <- user_matches @ ./match.c:106 := -1 Feb 8 14:20:58 sudo[14355] <- userlist_matches @ ./match.c:125 := -1 Feb 8 14:20:58 sudo[14355] <- user_matches @ ./match.c:106 := -1 Feb 8 14:20:58 sudo[14355] <- userlist_matches @ ./match.c:125 := -1
Any updates on why this is occurring based on my output I sent?
That debug output makes it look like the only entry in /etc/sudoers is a rule for user "dummy". When I create a sudoers file like the following: User_Alias GROUP_SUDO_IT_HPS_UNIX_TEAM=d31695,k68297,v98856,j06440,c84521,c01393,v00513,v14703,c05177,v02851 GROUP_SUDO_IT_HPS_UNIX_TEAM ALL = ALL I see debug output like: Feb 17 16:23:34 sudo[776] -> runas_getgroups @ ./match.c:132 Feb 17 16:23:34 sudo[776] <- runas_getgroups @ ./match.c:141 := 0x80966d8 Feb 17 16:23:34 sudo[776] -> userlist_matches @ ./match.c:119 Feb 17 16:23:34 sudo[776] -> user_matches @ ./match.c:75 Feb 17 16:23:34 sudo[776] -> userlist_matches @ ./match.c:119 Feb 17 16:23:34 sudo[776] -> user_matches @ ./match.c:75 Feb 17 16:23:34 sudo[776] -> userpw_matches @ ./match.c:454 Feb 17 16:23:34 sudo[776] user c01393 matches sudoers user v02851: false @ userpw_matches() ./match.c:470 Feb 17 16:23:34 sudo[776] <- userpw_matches @ ./match.c:471 := false Feb 17 16:23:34 sudo[776] <- user_matches @ ./match.c:106 := -1 Feb 17 16:23:34 sudo[776] -> user_matches @ ./match.c:75 Feb 17 16:23:34 sudo[776] -> userpw_matches @ ./match.c:454 Feb 17 16:23:34 sudo[776] user c01393 matches sudoers user c05177: false @ userpw_matches() ./match.c:470 Feb 17 16:23:34 sudo[776] <- userpw_matches @ ./match.c:471 := false Feb 17 16:23:34 sudo[776] <- user_matches @ ./match.c:106 := -1 Feb 17 16:23:34 sudo[776] -> user_matches @ ./match.c:75 Feb 17 16:23:34 sudo[776] -> userpw_matches @ ./match.c:454 Feb 17 16:23:34 sudo[776] user c01393 matches sudoers user v14703: false @ userpw_matches() ./match.c:470 Feb 17 16:23:34 sudo[776] <- userpw_matches @ ./match.c:471 := false Feb 17 16:23:34 sudo[776] <- user_matches @ ./match.c:106 := -1 Feb 17 16:23:34 sudo[776] -> user_matches @ ./match.c:75 Feb 17 16:23:34 sudo[776] -> userpw_matches @ ./match.c:454 Feb 17 16:23:34 sudo[776] user c01393 matches sudoers user v00513: false @ userpw_matches() ./match.c:470 Feb 17 16:23:34 sudo[776] <- userpw_matches @ ./match.c:471 := false Feb 17 16:23:34 sudo[776] <- user_matches @ ./match.c:106 := -1 Feb 17 16:23:34 sudo[776] -> user_matches @ ./match.c:75 Feb 17 16:23:34 sudo[776] -> userpw_matches @ ./match.c:454 Feb 17 16:23:34 sudo[776] user c01393 matches sudoers user c01393: true @ userpw_matches() ./match.c:470 Feb 17 16:23:34 sudo[776] <- userpw_matches @ ./match.c:471 := true Feb 17 16:23:34 sudo[776] <- user_matches @ ./match.c:106 := 1 Feb 17 16:23:34 sudo[776] <- userlist_matches @ ./match.c:125 := 1 Feb 17 16:23:34 sudo[776] <- user_matches @ ./match.c:106 := 1 Feb 17 16:23:34 sudo[776] <- userlist_matches @ ./match.c:125 := 1 Feb 17 16:23:34 sudo[776] -> hostlist_matches_int @ ./match.c:294 Feb 17 16:23:34 sudo[776] -> host_matches @ ./match.c:328 Feb 17 16:23:34 sudo[776] <- host_matches @ ./match.c:360 := 1 Feb 17 16:23:34 sudo[776] <- hostlist_matches_int @ ./match.c:301 := 1 Feb 17 16:23:34 sudo[776] -> runaslist_matches @ ./match.c:161 Feb 17 16:23:34 sudo[776] -> userpw_matches @ ./match.c:454 Feb 17 16:23:34 sudo[776] user root matches sudoers user root: true @ userpw_matches() ./match.c:470 Feb 17 16:23:34 sudo[776] <- userpw_matches @ ./match.c:471 := true Feb 17 16:23:34 sudo[776] <- runaslist_matches @ ./match.c:167 := 1 Feb 17 16:23:34 sudo[776] -> cmnd_matches @ ./match.c:395 Feb 17 16:23:34 sudo[776] <- cmnd_matches @ ./match.c:419 := 1 You can see each user in the alias being compared in the debug log above. I would expect to see something similar from your system.
I do have a valid /etc/sudoers file that is working fin on the older version of sudo. My /etc/sudoers file has 2,645 lines in it
Ok, so I created a new /etc/sudoers and put just what you had in it.. And it seems to get the results you expect. Could it be something in the /etc/sudoers file thats causing the issue?
Feb 17 16:05:52 sudo[5359] -> runas_getgroups @ ./match.c:132 Feb 17 16:05:52 sudo[5359] <- runas_getgroups @ ./match.c:141 := 4d9f0 Feb 17 16:05:52 sudo[5359] -> runas_getgroups @ ./match.c:132 Feb 17 16:05:52 sudo[5359] <- runas_getgroups @ ./match.c:141 := 4d9f0 Feb 17 16:05:52 sudo[5359] -> userlist_matches @ ./match.c:119 Feb 17 16:05:52 sudo[5359] -> user_matches @ ./match.c:75 Feb 17 16:05:52 sudo[5359] -> userlist_matches @ ./match.c:119 Feb 17 16:05:52 sudo[5359] -> user_matches @ ./match.c:75 Feb 17 16:05:52 sudo[5359] -> userpw_matches @ ./match.c:454 Feb 17 16:05:52 sudo[5359] user root matches sudoers user v02851: false @ userpw_match es() ./match.c:470 Feb 17 16:05:52 sudo[5359] <- userpw_matches @ ./match.c:471 := false Feb 17 16:05:52 sudo[5359] <- user_matches @ ./match.c:106 := -1 Feb 17 16:05:52 sudo[5359] -> user_matches @ ./match.c:75 Feb 17 16:05:52 sudo[5359] -> userpw_matches @ ./match.c:454 Feb 17 16:05:52 sudo[5359] user root matches sudoers user c05177: false @ userpw_match es() ./match.c:470 Feb 17 16:05:52 sudo[5359] <- userpw_matches @ ./match.c:471 := false Feb 17 16:05:52 sudo[5359] <- user_matches @ ./match.c:106 := -1 Feb 17 16:05:52 sudo[5359] -> user_matches @ ./match.c:75 Feb 17 16:05:52 sudo[5359] -> userpw_matches @ ./match.c:454 Feb 17 16:05:52 sudo[5359] user root matches sudoers user v14703: false @ userpw_match es() ./match.c:470 Feb 17 16:05:52 sudo[5359] <- userpw_matches @ ./match.c:471 := false Feb 17 16:05:52 sudo[5359] <- user_matches @ ./match.c:106 := -1 Feb 17 16:05:52 sudo[5359] -> user_matches @ ./match.c:75 Feb 17 16:05:52 sudo[5359] -> userpw_matches @ ./match.c:454 Feb 17 16:05:52 sudo[5359] user root matches sudoers user v00513: false @ userpw_match es() ./match.c:470 Feb 17 16:05:52 sudo[5359] <- userpw_matches @ ./match.c:471 := false Feb 17 16:05:52 sudo[5359] <- user_matches @ ./match.c:106 := -1 Feb 17 16:05:52 sudo[5359] -> user_matches @ ./match.c:75 Feb 17 16:05:52 sudo[5359] -> userpw_matches @ ./match.c:454 Feb 17 16:05:52 sudo[5359] user root matches sudoers user c01393: false @ userpw_match es() ./match.c:470 Feb 17 16:05:52 sudo[5359] <- userpw_matches @ ./match.c:471 := false Feb 17 16:05:52 sudo[5359] <- user_matches @ ./match.c:106 := -1 Feb 17 16:05:52 sudo[5359] -> user_matches @ ./match.c:75 Feb 17 16:05:52 sudo[5359] -> userpw_matches @ ./match.c:454 Feb 17 16:05:52 sudo[5359] user root matches sudoers user c84521: false @ userpw_match es() ./match.c:470 Feb 17 16:05:52 sudo[5359] <- userpw_matches @ ./match.c:471 := false Feb 17 16:05:52 sudo[5359] <- user_matches @ ./match.c:106 := -1 Feb 17 16:05:52 sudo[5359] -> user_matches @ ./match.c:75 Feb 17 16:05:52 sudo[5359] -> userpw_matches @ ./match.c:454 Feb 17 16:05:52 sudo[5359] user root matches sudoers user j06440: false @ userpw_match es() ./match.c:470 Feb 17 16:05:52 sudo[5359] <- userpw_matches @ ./match.c:471 := false Feb 17 16:05:52 sudo[5359] <- user_matches @ ./match.c:106 := -1 Feb 17 16:05:52 sudo[5359] -> user_matches @ ./match.c:75 Feb 17 16:05:52 sudo[5359] -> userpw_matches @ ./match.c:454 Feb 17 16:05:52 sudo[5359] user root matches sudoers user v98856: false @ userpw_match es() ./match.c:470 Feb 17 16:05:52 sudo[5359] <- userpw_matches @ ./match.c:471 := false Feb 17 16:05:52 sudo[5359] <- user_matches @ ./match.c:106 := -1 Feb 17 16:05:52 sudo[5359] -> user_matches @ ./match.c:75 Feb 17 16:05:52 sudo[5359] -> userpw_matches @ ./match.c:454 Feb 17 16:05:52 sudo[5359] user root matches sudoers user k68297: false @ userpw_match es() ./match.c:470 Feb 17 16:05:52 sudo[5359] <- userpw_matches @ ./match.c:471 := false Feb 17 16:05:52 sudo[5359] <- user_matches @ ./match.c:106 := -1 Feb 17 16:05:52 sudo[5359] -> user_matches @ ./match.c:75 Feb 17 16:05:52 sudo[5359] -> userpw_matches @ ./match.c:454 Feb 17 16:05:52 sudo[5359] user root matches sudoers user d31695: false @ userpw_match es() ./match.c:470 Feb 17 16:05:52 sudo[5359] <- userpw_matches @ ./match.c:471 := false Feb 17 16:05:52 sudo[5359] <- user_matches @ ./match.c:106 := -1 Feb 17 16:05:52 sudo[5359] <- userlist_matches @ ./match.c:125 := -1 Feb 17 16:05:52 sudo[5359] <- user_matches @ ./match.c:106 := -1 Feb 17 16:05:52 sudo[5359] <- userlist_matches @ ./match.c:125 := -1
Logged in as c01393, I get the match in the debug. Feb 17 16:13:14 sudo[5743] <- userpw_matches @ ./match.c:471 := false Feb 17 16:13:14 sudo[5743] <- user_matches @ ./match.c:106 := -1 Feb 17 16:13:14 sudo[5743] -> user_matches @ ./match.c:75 Feb 17 16:13:14 sudo[5743] -> userpw_matches @ ./match.c:454 Feb 17 16:13:14 sudo[5743] user c01393 matches sudoers user c01393: true @ userpw_matc hes() ./match.c:470 So now with my full /etc/sudoers in place it's back to dummy again... Feb 17 16:17:02 sudo[5860] user c01393 matches sudoers user dummy: false @ userpw_matc hes() ./match.c:470 Could you look at my full /etc/sudoers to see if theres an invalid entry causing an issue with this specific new version of sudo?
Created attachment 551 [details] full /etc/sudoers fiile Please review the file to determine why it is resulting in dummy false matches
I can reproduce the problem with your full sudoers file, thanks. I should be able to debug the problem now.
There was a bug in the emulation of the getdelim() function on older systems that lack it. The bug only showed up when reading files with lines larger than around 2047 bytes. This is fixed by https://www.sudo.ws/repos/sudo/rev/d6dd6893b38a It only affected the Solaris 10 and HP-UX packages--all the others have a native getdelim() function. I've rebuilt the affected 1.9.5p2 packages with the fix, e.g. https://www.sudo.ws/dist/packages/1.9.5p2/TCMsudo-1.9.5p2-sol10.sparc.pkg.gz MD5 checksum b37df223e0189d98b69eb2f1723ed577
Ok, thanks, testing on our systems now... Looking good -Jeff
Resolved