RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1713448 - sudo fails if password expired; requests incorporation of upstream fix
Summary: sudo fails if password expired; requests incorporation of upstream fix
Keywords:
Status: CLOSED DUPLICATE of bug 1672876
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sudo
Version: 7.6
Hardware: All
OS: Linux
medium
high
Target Milestone: rc
: ---
Assignee: Marek Tamaskovic
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-05-23 17:32 UTC by joel
Modified: 2019-06-26 09:35 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-26 09:34:41 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description joel 2019-05-23 17:32:14 UTC 
Description of problem:
sudo fails if password has expired

Version-Release number of selected component (if applicable):
sudo-1.8.23-3.el7 

How reproducible:
constant; maybe feature

Steps to Reproduce:
1.expire users password
2.attempt to use sudo
3.

Actual results:
[ssm-user@ip-172-31-12-233 ~]$ /usr/bin/sudo -i
sudo: pam_open_session: System error
sudo: policy plugin failed session initialization

Expected results:
sudo to execute command

Additional info:

RHEL7/CentOS7 - Bug in sudo-1.8.23-3.el7 impact user accounts with expired passwords edit
# search cases related to this tt in en ja
# Description

Customers may run into issues when trying to use *sudo-1.8.23-3* with expired password accounts. This issue has been reported by a customer who applied security policies to his RHEL instances and lost the ability to run *"sudo -i"* after the **ssm-user** password has expired.

A fix is available from the community but not yet on either RHEL7 or CentOS7 repositories.

When the **ssm-user** account had its password expired, Session Manager users lost the ability to run *"sudo -i"* with the following error message:

sudo: pam_open_session: System error
sudo: policy plugin failed session initialization

I have tested the steps to reproduce provided by customer in **Amazon Linux 2 (ami-04481c741a0311bbb), Red Hat 7 (ami-67589505) and CentOS 7 (ami-08bd00d7713a39e7d)**, and I got the results below.

Amazon Linux 2
+ sudo-1.8.19p2-14.amzn2.x86_64 - No issues

CentOS 7
+ sudo-1.8.23-3.el7.x86_64 - ERROR

RHEL7
+ sudo-1.8.19p2-13.el7.x86_64 - No issues
+ sudo-1.8.23-3.el7.x86_64 - ERROR

Other Linux distros
Not tested

# Tests

Based on those tests, I compared some PAM configuration and libraries and also tried some slight modifications without luck. So I checked the SUDO ChangeLogs, suspected of the **Bug #843** (https://bugzilla.sudo.ws/show_bug.cgi?id=843 ) and I found that **the latest release available** in RHEL/CentOS (2018-09-25) **is older than the fix** for the bug (2018-12-07). So I decided to compile the binaries from the latest source and I was able to run the sudo using an account with expired password (https://www.sudo.ws/dist/sudo-1.8.27.tar.gz ).

With both sudo versions installed on the system I compared the results:

1. Test with sudo 1.8.23 (latest release in Red Hat)

[ssm-user@ip-172-31-12-233 ~]$ /usr/bin/sudo -V | grep -i version
Sudo version 1.8.23
Sudoers policy plugin version 1.8.23
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.23

[ssm-user@ip-172-31-12-233 ~]$ /usr/bin/sudo -i
sudo: pam_open_session: System error
sudo: policy plugin failed session initialization

2. Test with sudo 1.8.27 (compiled from source)

[ssm-user@ip-172-31-12-233 ~]$ /usr/local/bin/sudo -V | grep -i version
Sudo version 1.8.27
Sudoers policy plugin version 1.8.27
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.27

[ssm-user@ip-172-31-12-233 ~]$ /usr/local/bin/sudo -i
[root@ip-172-31-12-233 ~]# whoami
root

# Steps to Reproduce:

#useradd ssm-user

#echo "ssm-user ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/ssm-user

#chage -l ssm-user
Last password change : May 03, 2019
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

#chage -M 7 -I 0 ssm-user

#chage -d 2019-01-01 ssm-user

#chage -l ssm-user
Last password change : Jan 01, 2019
Password expires : Jan 08, 2019
Password inactive : Jan 08, 2019
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 7
Number of days of warning before password expires : 7

#su - ssm-user
$ sudo -i
sudo: pam_open_session: System error
sudo: policy plugin failed session initialization

# Workaround

Add the following line to /etc/sudoers:

Defaults !pam_session
Comment 4 Marek Tamaskovic 2019-06-26 09:34:41 UTC 
This patch was applied in https://bugzilla.redhat.com/show_bug.cgi?id=1672876.
Described behavior works as expected.

*** This bug has been marked as a duplicate of bug 1672876 ***
Note You need to log in before you can comment on or make changes to this bug.