Bug#764818: marked as done (sudo: Silently fails to execute any commands if kernel compiled with !AUDIT)

Mon, 20 Oct 2014 14:34:36 -0700 

Your message dated Mon, 20 Oct 2014 21:29:57 +0000
with message-id <e1xgkwb-0003jf...@franck.debian.org>
and subject line Bug#764817: fixed in sudo 1.8.11p1-2
has caused the Debian Bug report #764817,
regarding sudo: Silently fails to execute any commands if kernel compiled with 
!AUDIT
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
764817: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764817
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: sudo
Version: 1.8.11p1-1
Severity: normal

After upgrade to 1.8.11p1-1 from 1.3.10p3, sudo silently fails to
execute any commands if the kernel is compiled with !AUDIT. For
example, as root:

# sudo echo foo
# 

Nothing in the logs indicate anything wrong either, even if the debug
level is set to diag; sudo just exits.

There is code that tries to handle this in
plugins/sudoers/linux_audit.c, but it fails miserably:

------------------------------------------------------------
if (au_fd == -1) {
    /* Kernel may not have audit support. */
    if (errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT) {
        sudo_warn(U_("unable to open audit system"));
        au_fd = AUDIT_NOT_CONFIGURED;
    }
}
------------------------------------------------------------

Obviously, it should require errno to be *either* EINVAL,
EPROTONOTSUPPORT or EAFNOSUPPORT, not *all of them*.

After applying the attached patch, sudo no longer fails, but warns:

------------------------------------------------------------
# sudo echo foo
sudo: unable to open audit system: Protocol not supported
foo
------------------------------------------------------------

        Sami


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.17.0 (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages sudo depends on:
ii  libaudit1       1:2.4-1
ii  libc6           2.19-11
ii  libpam-modules  1.1.8-3.1
ii  libpam0g        1.1.8-3.1
ii  libselinux1     2.3-2
ii  zlib1g          1:1.2.8.dfsg-2

sudo recommends no packages.

sudo suggests no packages.

-- Configuration Files:
/etc/sudoers [Errno 13] Permission denied: u'/etc/sudoers'
/etc/sudoers.d/README [Errno 13] Permission denied: u'/etc/sudoers.d/README'

-- no debconf information

Description: Make sudo work if kernel compiled with !AUDIT
  The code in linux_audit.c tries to handle the case where the kernel
  has been compiled without AUDIT support, but fails miserably.
Author: Sami Liedes <sami.lie...@iki.fi>

---

--- sudo-1.8.11p1.orig/plugins/sudoers/linux_audit.c
+++ sudo-1.8.11p1/plugins/sudoers/linux_audit.c
@@ -57,7 +57,7 @@ linux_audit_open(void)
     au_fd = audit_open();
     if (au_fd == -1) {
 	/* Kernel may not have audit support. */
-	if (errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT) {
+	if (errno != EINVAL || errno != EPROTONOSUPPORT || errno != EAFNOSUPPORT) {
 	    sudo_warn(U_("unable to open audit system"));
 	    au_fd = AUDIT_NOT_CONFIGURED;
 	}

Attachment: signature.asc
Description: Digital signature


--- End Message ---
--- Begin Message --- 
Source: sudo
Source-Version: 1.8.11p1-2

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 764...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bd...@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 20 Oct 2014 11:06:44 -0600
Source: sudo
Binary: sudo sudo-ldap
Architecture: source amd64
Version: 1.8.11p1-2
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bd...@gag.com>
Changed-By: Bdale Garbee <bd...@gag.com>
Description:
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 762465 764817
Changes:
 sudo (1.8.11p1-2) unstable; urgency=low
 .
   * patch from Jakub Wilk to fix 'ignoring time stamp from the future'
     messages, closes: #762465
   * upstream patch forwarded by Laurent Bigonville that fixes problem with
     Linux kernel auditing code, closes: #764817
Checksums-Sha1:
 c0a7282ac59c62f220fb00b20623fa5b07c31f71 1968 sudo_1.8.11p1-2.dsc
 5b0573d5558b98c882e2af1a205d00541f881c23 23140 sudo_1.8.11p1-2.debian.tar.xz
 2fb2597b57d0ec5b2c6ccc941f13fba55975703a 889602 sudo_1.8.11p1-2_amd64.deb
 9441e380c45f77ae623f1bd3a8e2f61aeeaf043c 916552 sudo-ldap_1.8.11p1-2_amd64.deb
Checksums-Sha256:
 c76c8b7c6e36e039464d70919622962b2a77b06eb2c5027d22e4641a668424a0 1968 
sudo_1.8.11p1-2.dsc
 368f3ef39197c2ac8e0d209286846009ef325279f9bb5e5a85d7987c753fe350 23140 
sudo_1.8.11p1-2.debian.tar.xz
 84679bdcfc26f6244ee01c1694fa4c337137f9294554fdb639a28bc175f0e87a 889602 
sudo_1.8.11p1-2_amd64.deb
 40f7abf2333fc9d3f1c15feba8b048cb67466d874b2fc9ee04684203fc2c42de 916552 
sudo-ldap_1.8.11p1-2_amd64.deb
Files:
 25330a051cf4fbce6c30c089e06bafed 1968 admin optional sudo_1.8.11p1-2.dsc
 40dc0c2f064df3ccf683ffe8ff193c82 23140 admin optional 
sudo_1.8.11p1-2.debian.tar.xz
 ef8862f16c4ba92198faee2551ad0894 889602 admin optional 
sudo_1.8.11p1-2_amd64.deb
 eca499e9b79f67282a4b699570f42158 916552 admin optional 
sudo-ldap_1.8.11p1-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBVEVzqTqTYZbAldlBAQp67w/+KNbNEh6rh95IQAdw4VmPgoMDUKKUlDE1
9n3WjgbaTZw2Tak2k9sCJcDum0ixa/5iMB1xnPCDEY3mMvP24CO5aq+3xklGK9tb
2R/y0VRwhK5ZQfA1Ncu339mT6xCiZ0L8xUFrfHhhWgx3MwjNgXu/niMPZG0d8S6d
8Thva3+YyrKmEICRsgtqHHFYng9zwcnC9vA7qt2baosOMkXl4zjIkUTbeoy67W26
2JAuW8xKfncKalocv0+U5IICjHKWWcG3M37pxwnFo9NKP+q865M+cudZA10c3uZq
OdlLgEMvupYJaMeZrf7VPIONJUxJbscENCmyLUARmVof/J6XvpK4TZeeNNWuCgc/
wlT+SHOkwUzQpzOZvHge/B023DVAtf0EE9KR/eptBeVqvgVqVSXhaXRHtUr0eHvO
R9k01Cs8isqVz2xnHXmoAUr/9wX4yI5yOEGpkmhts+uYWIpvdoyEERCfrxUABGr3
xDL7b1OoON7M85/23JNF5aWiJXk4jSTmulZ8Lxo+rlwZZJLFVkBb7S0pNrNFGYyz
JaMP9c1ycbmhUDqa3/P2Hp5UvOv25/4WLjwnnR2MQoJggCOa7iAIfwi6jlNDcE0f
4lOa39YsNfDTRBOe/VPgEpjOde/vFrzd0L77EMZmp954Zm8iZqMesF6OTo/dJUmm
SYHXH/9ADGo=
=AdST
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to