Bug 1411050

Summary: sudo NOEXEC broken in F25
Product: [Fedora] Fedora Reporter: Citadel <bugzilla>
Component: sudoAssignee: Tomas Sykora <tosykora>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 25CC: bugzilla, dkopecek, kzak, rsroka, tosykora
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-22 08:00:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Citadel 2017-01-07 21:16:24 UTC 
Description of problem:
The NOEXEC tag causes less (and probably other commands) to fail in sudo.

Version-Release number of selected component (if applicable):
sudo-1.8.18p1-1.fc25.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Add the following entry to sudoers, replacing username, hostname, and /some/restricted/file as appropriate.
  username hostname=(root) NOEXEC: NOPASSWD: /usr/bin/less /some/restricted/file
2. As user "username", run
  sudo /usr/bin/less /some/restricted/file

Actual results:
/usr/bin/less: symbol lookup error: /usr/libexec/sudo/sudo_noexec.so: undefined symbol: dlsym

Expected results:
less should run, viewing /some/restricted/file

Additional info:
This appears to be related to https://bugzilla.redhat.com/show_bug.cgi?id=1384982
Comment 1 Tomas Sykora 2017-02-21 12:46:12 UTC 
Hi,

I used your reproducer:
foo localhost=(root) NOEXEC: NOPASSWD: /usr/bin/less /home/foo/test

where /home/foo/test is an ordinary file. I could not reproduce it. What did you mean by a restricted file? Must it be something special? less command normally worked for me.
Comment 2 Citadel 2017-02-27 15:47:48 UTC 
By restricted file, I just mean a file that only root can access (owned by root, only readable by owner).
Comment 3 Tomas Sykora 2017-03-01 15:17:44 UTC 
I still can't reproduce it. But, from the upstream changelog: "Need to link sudo_noexec.so with -ldl for dlsym() on some platforms. Otherwise, the wordexp(3) wrapper will fail due to an undefined symbol." It seems that could be the issue. 

And the upstream commit in sudo 1.8.19: https://www.sudo.ws/repos/sudo/rev/120a317ce25b
Comment 4 Citadel 2017-05-01 14:42:12 UTC 
Why is this flagged as needinfo?  I do not see a new question since the last one that I answered.

I have no idea why you cannot reproduce this.  Are you certain that you are testing sudo-1.8.18p1-1.fc25.x86_64?  I just tried the latest Fedora 25 package (sudo-1.8.19p2-1.fc25.x86_64) and the problem is fixed.
Comment 5 Daniel Kopeček 2017-05-22 08:00:16 UTC 
(In reply to Citadel from comment #4)
> Why is this flagged as needinfo?  I do not see a new question since the last
> one that I answered.
> 
> I have no idea why you cannot reproduce this.  Are you certain that you are
> testing sudo-1.8.18p1-1.fc25.x86_64?  I just tried the latest Fedora 25
> package (sudo-1.8.19p2-1.fc25.x86_64) and the problem is fixed.

Great, thanks for the info. Closing.