804123 – sudo does not call pam_close_session() or pam_end()

Bug 804123 - sudo does not call pam_close_session() or pam_end()

Summary: sudo does not call pam_close_session() or pam_end()

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sudo
Sub Component:
Version:	6.2
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	6.4
Assignee:	Daniel Kopeček
QA Contact:	Aleš Mareček
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	782183
TreeView+	depends on / blocked

Reported:	2012-03-16 15:14 UTC by Dustin Black
Modified:	2020-12-11 11:35 UTC (History)
CC List:	5 users (show)
Fixed In Version:	sudo-1.8.6p3-1.el6
Doc Type:	Bug Fix
Doc Text:	Cause: Passing a different PAM handle to PAM API functions where the same handle should be used. This is caused by initializing the global variable holding the PAM handle from a child process, which has a separate address space and thus the initialization has no effect on the parent's PAM handle where the pam_end_sessions functions is called. Consequence: (from comment #3) A module may rely on being called at session close in order to release resources or make important administrative changes, which now won't happen. Fix: Fixed by rebasing to a newer upstream version which uses the PAM API correctly, i.e. initializes one PAM handle and uses it in all related PAM API function calls. Result: PAM session is closed correctly.
Clone Of:
Environment:
Last Closed:	2013-02-21 09:44:15 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:0363	0	normal	SHIPPED_LIVE	sudo bug fix and enhancement update	2013-02-20 20:52:59 UTC

Description Dustin Black 2012-03-16 15:14:47 UTC

Description of problem:
When configured to use the "session" function of a PAM module, sudo calls pam_open_session(), but never calls pam_close_session() or pam_end() to close the session.

Version-Release number of selected component (if applicable):
sudo-1.7.4p5-7.el6

How reproducible:
With the code instrumented to show the pid and status of the pamh handle in both places, this is clear:

$ sudo true
** pam_init: pid 24820, pamh is set
** pam_end_session: pid 24819, pamh is null

Steps to Reproduce:
1.
2.
3.
  
Actual results:
pam_close_session() or pam_end() are never called to end the session


Expected results:
pam_close_session() or pam_end() are called appropriately

Additional info:
In auth/pam.c, there is this:

static pam_handle_t *pamh;	/* global due to pam_prep_user() */

This defines a static global variable to hold the PAM handle, which is initialized in pam_init(), and should be used in pam_end_session() to end the session. The use of the global variable for coordination is broken, however, because pam_init() is called in a subprocess, whereas pam_end_session() is called later in the parent process; thus, the handle is always NULL when pam_end_session() runs, and sudo never calls the PAM session close method.

Comment 2 Karel Srot 2012-07-31 07:17:57 UTC

Hi,
does this bug has any consequences that can be observed? I mean, is there any memory leak, error message,.. Can we check the bug/fix in some "common way", different from mentioned approach, gdb or systemtap...?

Comment 3 Dustin Black 2012-09-06 01:56:43 UTC

The issue was identified through code analysis, rather than through any known ill effect, afaik. The argument is that sudo does not follow PAM conventions, and it could prevent PAM modules from working correctly, in perhaps significant ways. A module may rely on being called at session close in order to release resources or make important administrative changes, which now won't happen. This is especially a concern considering that this is a security-critical component.

Comment 9 errata-xmlrpc 2013-02-21 09:44:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0363.html

Note You need to log in before you can comment on or make changes to this bug.