RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1664147 - sudo modifies command output, showing "Last login: ..." info
Summary: sudo modifies command output, showing "Last login: ..." info
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sudo
Version: 7.6
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: rc
: ---
Assignee: Radovan Sroka
QA Contact: Dalibor Pospíšil
URL:
Whiteboard:
Depends On: 1665679
Blocks: 1662449 1666215 1666603
TreeView+ depends on / blocked
 
Reported: 2019-01-07 21:05 UTC by Nir Soffer
Modified: 2019-01-28 11:00 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1666215 (view as bug list)
Environment:
Last Closed: 2019-01-28 11:00:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
proposed patch (1.17 KB, patch)
2019-01-16 07:39 UTC, Daniel Kopeček 		no flags Details | Diff
View All

Description Nir Soffer 2019-01-07 21:05:29 UTC 
Description of problem:

If sudo is configured to include session system-auth:

    $ cat /etc/pam.d/sudo
    ... 
    session    include      system-auth

And system-auth is using pam_lastlog plugin:

    $ cat /etc/pam.d/system-auth
    ... 
    session     required      pam_lastlog.so showfailed

This configuration probably try to satisfy:
http://people.redhat.com/swells/scap-security-guide/tables/table-rhel7-nistrefs-ospp-rhel7.html
(See CCE-27275-7 Set Last Logon/Access Notification) 

Running a command in non-interactive mode will add the last login
info in the command stdout:

    $ echo "expected-output" | sudo -n cat 
    Last login: Tue Jan  1 23:31:22 IST 2019 on pts/1
    expected-output

This breaks use cases when command output is consumed by another
program. An example real use case is running LVM commands using sudo.
LVM output is built to be consumed by programs and programs assume
that sudo is not modifying the output in any way.

Here is example failure caused by this issue:
https://bugzilla.redhat.com/1662449


Version-Release number of selected component (if applicable):
$ sudo --version
Sudo version 1.8.23
Sudoers policy plugin version 1.8.23
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.23


How reproducible:
Always

Steps to Reproduce:
1. Add "session     required      pam_lastlog.so showfailed" to 
   /etc/pam.d/system-auth
2. Run "sudo true"

Actual results:
$ sudo true
Last login: Mon Jan  7 22:59:11 IST 2019 on pts/0

Expected results:
No output.

Fixed upstream in:
https://www.sudo.ws/repos/sudo/rev/b8b5d3445a3c
Comment 3 Tomas Mraz 2019-01-08 12:06:22 UTC 
I'd say that at least in the non-interactive session the sudo should just ignore all the output of the pam modules. Setting PAM_SILENT flag might not be sufficient as modules can ignore the flag (such as pam_lastlog with showfailed option).

The question also is whether pam_lastlog should be called at all from the sudo PAM configuration. Traditionally the sudo calls were not treated as full login sessions.
Comment 4 Dalibor Pospíšil 2019-01-08 13:23:11 UTC 
(In reply to Tomas Mraz from comment #3)
> I'd say that at least in the non-interactive session the sudo should just
> ignore all the output of the pam modules. Setting PAM_SILENT flag might not
> be sufficient as modules can ignore the flag (such as pam_lastlog with
> showfailed option).
> 
> The question also is whether pam_lastlog should be called at all from the
> sudo PAM configuration. Traditionally the sudo calls were not treated as
> full login sessions.

This change was introduced due to https://bugzilla.redhat.com/show_bug.cgi?id=1502630.

Proper solution is probably to maintain own pam stack config files but it breaks the system-wide settings.

Tomas, what would be the best way to go, looking from pam POV?
Comment 5 Nir Soffer 2019-01-08 13:39:51 UTC 
(In reply to Tomas Mraz from comment #3)
> I'd say that at least in the non-interactive session the sudo should just
> ignore all the output of the pam modules. Setting PAM_SILENT flag might not
> be sufficient as modules can ignore the flag (such as pam_lastlog with
> showfailed option).

Isn't this a bug in pam_lastlog that would be fixed by:
https://github.com/linux-pam/linux-pam/pull/91

It we have other modules with such issues, we can solve the issue in the 
specific modules. This will give users the power to configure what they
want.
Comment 6 Tomas Mraz 2019-01-08 13:49:06 UTC 
I am afraid there is no "best" way as all of them have some drawbacks.

IMO, sudo should be modified to suppress all the messages from PAM in the non-interactive mode. Or even better it should suppress them only if the pam session calls finish successfully in case there is some error message output in the error case. It of course means sudo would have to cache all the messages from the modules and output them only after it knows the return status.

However that does not fix the issue of resetting the bad login output for other login sessions if sudo is invoked.

That would be fixed by modifying postlogin in both pam and authconfig to have:

session     [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service != su service != su-l quiet

Alternatively sudo should not have 'session include postlogin' in /etc/pam.d/sudo. That would effectively fix everything and I am not sure it is actually that big problem. But of course the latent problem of possible modifying command output for non-interactive sudo calls would still stay but it would not pronounce with the default configuration.
Comment 7 Tomas Mraz 2019-01-08 13:51:26 UTC 
(In reply to Nir Soffer from comment #5)
> (In reply to Tomas Mraz from comment #3)
> > I'd say that at least in the non-interactive session the sudo should just
> > ignore all the output of the pam modules. Setting PAM_SILENT flag might not
> > be sufficient as modules can ignore the flag (such as pam_lastlog with
> > showfailed option).
> 
> Isn't this a bug in pam_lastlog that would be fixed by:
> https://github.com/linux-pam/linux-pam/pull/91
> 
> It we have other modules with such issues, we can solve the issue in the 
> specific modules. This will give users the power to configure what they
> want.

The thing is that pam_lastlog should not be called from sudo anyway. So yes, pam_lastlog could be fixed (and should be at least upstream to behave correctly when PAM_SILENT flag is passed in) but the problem would not be fixed "in general".
Comment 8 Nir Soffer 2019-01-12 15:01:06 UTC 
I filed bug 1665679 for the PAM_SILENT issue and set it to block this bug.

We need to backport both trivial patches for sudo and pam, or change sudo
in another way so it does not use pam_lastlog unless using running a shell
(e.g. sudo -s).
Comment 9 Tomas Mraz 2019-01-15 09:29:12 UTC 
In my opinion "fixing" it this way is wrong. Not in the sense that adding the PAM_SILENT flag is wrong but that it does not fully fix the problem. The sudo regular or non-interactive call will clear the Bad login message and update the last login message and this is clearly wrong as sudo call is not a login session. Pam_lastlog module is clearly not supposed to be called from sudo at all. I propose to completely drop the call of postlogin configuration from the /etc/pam.d/sudo configuration.
Comment 18 Daniel Kopeček 2019-01-16 07:39:03 UTC 
Created attachment 1520883 [details]
proposed patch
Comment 19 Daniel Kopeček 2019-01-16 12:54:00 UTC 
(In reply to Nir Soffer from comment #0)
> This configuration probably try to satisfy:
> http://people.redhat.com/swells/scap-security-guide/tables/table-rhel7-
> nistrefs-ospp-rhel7.html
> (See CCE-27275-7 Set Last Logon/Access Notification) 
>
> ... snip ...
> 
> Steps to Reproduce:
> 1. Add "session     required      pam_lastlog.so showfailed" to 
>    /etc/pam.d/system-auth

Why system-auth and not postlogin as per the linked USGCB rule?
Comment 20 Nir Soffer 2019-01-16 13:04:02 UTC 
(In reply to Daniel Kopeček from comment #19)
This is was found in a customer system. I don't know why and how it was
configured like this.

Do you think this configuration is invalid?
Comment 21 Daniel Kopeček 2019-01-16 16:00:22 UTC 
(In reply to Nir Soffer from comment #20)
> (In reply to Daniel Kopeček from comment #19)
> This is was found in a customer system. I don't know why and how it was
> configured like this.
> 
> Do you think this configuration is invalid?

Well, according to the USGCB rule and what Tomas said, yes, I think so.
If not invalid, then not supported for sure.
Note You need to log in before you can comment on or make changes to this bug.