Bug 1885874
Summary: | double free in sss_to_sudoers | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Avi Kivity <avi.kivity> | ||||||
Component: | sudo | Assignee: | Radovan Sroka <rsroka> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | high | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 32 | CC: | abokovoy, alakatos, atikhono, jhrozek, kzak, lslebodn, mattdm, mzidek, nphilipp, pbrezina, rharwood, rsroka, sbose, ssorce, sssd-maintainers, tosykora, zfridric | ||||||
Target Milestone: | --- | Keywords: | Reopened | ||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | sudo-1.9.5p1-1.fc34 sudo-1.9.5p1-1.eln108 sudo-1.9.5p1-1.fc33 sudo-1.9.5p1-1.fc32 | Doc Type: | If docs needed, set a value | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2021-01-18 20:24:06 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Avi Kivity
2020-10-07 08:54:37 UTC
│ 332 cleanup: │ │ 333 if (cn_array != NULL) │ │ 334 handle->fn_free_values(cn_array); │ │ 335 if (cmnds != NULL) │ │ >336 handle->fn_free_values(cmnds); │ │ 337 if (hosts != NULL) │ │ 338 handle->fn_free_values(hosts); │ │ 339 if (runasusers != NULL) │ │ 340 handle->fn_free_values(runasusers); │ │ 341 if (runasgroups != NULL) │ │ 342 handle->fn_free_values(runasgroups); │ │ 343 if (opts != NULL) │ │ 344 handle->fn_free_values(opts); │ │ 345 if (notbefore != NULL) │ │ 346 handle->fn_free_values(notbefore); │ │ 347 if (notafter != NULL) │ │ 348 handle->fn_free_values(notafter); │ │ 349 Update: a reinstall+re-enroll of the client system (e.g. regformatting everything) did not fix the problem. Removing the host entry from the ipa server and re-enrolling fixed it. So it looks like bad data from the server gets the client very confused. Are you still able to reproduce it? Can you share how the sudo rules are defined? > Are you still able to reproduce it? No, I dropped the host in ipa and re-created it, and now the client does not crash. > Can you share how the sudo rules are defined? The sudo rules allow all without password for a group of users to a group of hosts, to which that host belonged (and I belong to the list of users). If you tell me how to export the rules to text form, I can do that. To be clear: you kept the rule in the IPA server, you destroyed, re-created and re-enrolled the host (where sudo runs) and this fixed the issue? So you did not changed the sudo rule? I destroyed, re-created, and re-enrolled the host, but this did NOT fix the problem. The newly installed host still crashed in `sudo -s` and similar. I then removed the host entry from the ipa server, and then re-re-enrolled the host. It then started working. (after re-enrolling the host in the second iteration, which worked, I also had to re-add the host to the host group, of course). Thank you, from what you are saying it looks like some property of the host caused it. This seems like a valid bug, however I will close it for insufficient information since you can no longer reproduce it and we have nothing to catch on. Please, if you do reproduce it reopen the issue and attach the sudo and sssd-sudo logs (see https://sssd.io/docs/users/troubleshooting/sudo_troubleshooting.html#obtaining-logs). I did reproduce it - looks like I was mistaken and fiddling with the ipa server did not help. Created attachment 1729597 [details]
sudo logs
Hmm. Can you also provide sssd-sudo logs with full debug level? i.e. set debug_level = 0xfff0 to [sudo] in /etc/sssd/sssd.conf, restart sssd and reproduce the issue. Created attachment 1730580 [details]
sssd_sudo.log with debug level 0xfff0
Thank you, this was helpful.The problem is that the rule "allow sudo" does not have any commands set. So as a workaround, make sure that a command is associated with this rule or disable the rule. Nevertheless, this is a sudo bug which was already fixed in sudo upstream: https://www.sudo.ws/repos/sudo/rev/a3fe4615f039 I'm switching the component to sudo. Thanks. The workaround worked around the bug. The fix above is part of sudo versions 1.9.4 and later. FEDORA-2021-a84b7821cd has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-d6630e0c7d has been pushed to the Fedora ELN stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-324479472c has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-324479472c FEDORA-2021-234d14bfcc has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2021-234d14bfcc FEDORA-2021-234d14bfcc has been pushed to the Fedora 32 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-234d14bfcc` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-234d14bfcc See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-324479472c has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-324479472c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-324479472c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-324479472c has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2021-234d14bfcc has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. |