Bug 1147498 - duplicate sss module in nsswitch breaks sudo
Summary: duplicate sss module in nsswitch breaks sudo
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sudo
Version: 6.7
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Daniel Kopeček
QA Contact: Dalibor Pospíšil
URL:
Whiteboard:
: 1133140 (view as bug list)
Depends On: 1133657
Blocks: 1147497
TreeView+ depends on / blocked
 
Reported: 2014-09-29 12:16 UTC by Daniel Kopeček
Modified: 2019-07-11 08:17 UTC (History)
11 users (show)

Fixed In Version: sudo-1.8.6p3-16.el6
Doc Type: Bug Fix
Doc Text:
Cause: Bug in the sudoers source (nsswitch.conf) processing. Consequence: Sudo runs indefinitely when a sudoers source is mentioned more than once. Fix: Fixed the sudoers source processing code to handle duplicate entries. Result: Sudo process doesn't hang when duplicate sudoers source entries are present in nsswitch.conf
Clone Of: 1133657
Environment:
Last Closed: 2015-07-22 07:36:11 UTC
Target Upstream Version:


Attachments (Terms of Use)
proposed patch (1.69 KB, patch)
2015-03-02 09:33 UTC, Daniel Kopeček
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1409 normal SHIPPED_LIVE Moderate: sudo security, bug fix, and enhancement update 2015-07-20 18:06:58 UTC

Description Daniel Kopeček 2014-09-29 12:16:53 UTC
+++ This bug was initially created as a clone of Bug #1133657 +++

Description of problem:
As a result of ipa-client-install bug[1] my machine had the following nsswitch entry:
# grep sudo /etc/nsswitch.conf
sudoers: files sss sss

This broke sudo completely, the sudo binary never finishes.

Version-Release number of selected component (if applicable):
sudo-1.8.8-7.fc21.x86_64

How reproducible:
easy peasy

Steps to Reproduce:
1. put "sudoers: files sss sss" into nsswitch.conf
2. sudo ls
3.

Actual results:
sudo hangs

Expected results:
sudo runs to completion

Additional info:
[1] https://fedorahosted.org/freeipa/ticket/4508

This is the backtrace I'm seeing:
(gdb) bt
#0  0x00007f7f234cc21a in __libc_waitpid (pid=pid@entry=21813, stat_loc=stat_loc@entry=0x7fffbc70f64c, options=options@entry=0) at ../sysdeps/unix/sysv/linux/waitpid.c:31
#1  0x00007f7f1c38944a in send_mail (fmt=fmt@entry=0x7f7f1c3b78a0 "%s") at ./logging.c:597
#2  0x00007f7f1c389e6c in vlog_warning (flags=flags@entry=8, fmt=fmt@entry=0x7f7f1c3b919e "problem with defaults entries", ap=ap@entry=0x7fffbc70faf0) at ./logging.c:467
#3  0x00007f7f1c38a7ad in log_warning (flags=flags@entry=8, fmt=fmt@entry=0x7f7f1c3b919e "problem with defaults entries") at ./logging.c:513
#4  0x00007f7f1c391c3b in sudoers_policy_init (info=info@entry=0x7fffbc70fc80, envp=envp@entry=0x7fffbc70ff08) at ./sudoers.c:158
#5  0x00007f7f1c38d4ed in sudoers_policy_open (version=65540, conversation=0x7f7f24249e30 <sudo_conversation>, plugin_printf=0x7f7f2425cde0 <_sudo_printf>, settings=0x7f7f24c8e080, 
    user_info=0x7f7f24c8c110, envp=0x7fffbc70ff08, args=0x0) at ./policy.c:547
#6  0x00007f7f242485f4 in policy_open (plugin=<optimized out>, plugin=<optimized out>, user_env=<optimized out>, user_info=<optimized out>, settings=<optimized out>) at ./sudo.c:1100
#7  main (argc=3, argv=0x7f7f24c8e080, envp=0x7fffbc70ff08) at ./sudo.c:206
(gdb) quit

--- Additional comment from Daniel Kopeček on 2014-09-15 08:18:20 EDT ---

Confirmed and reported upstream.

--- Additional comment from Daniel Kopeček on 2014-09-15 08:22:53 EDT ---

Proposed patch for the most recent upstream version. I'll fix this in Fedora as soon as upstream accepts the patch or pushes a better fix.

Comment 2 Daniel Kopeček 2015-02-27 10:56:01 UTC
*** Bug 1133140 has been marked as a duplicate of this bug. ***

Comment 3 Daniel Kopeček 2015-03-02 09:33:53 UTC
Created attachment 997010 [details]
proposed patch

Comment 6 errata-xmlrpc 2015-07-22 07:36:11 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1409.html


Note You need to log in before you can comment on or make changes to this bug.