** Information type changed from Public to Public Security ** Description changed:
sudo on Ubuntu (tested on 24.04) is compiled with the --with-fqdn flag, which causes it to perform FQDN resolution on the machine's own hostname before executing any command (even when there is no Defaults fqdn line in /etc/sudoers). This can lead to noticeable hangs (30–60 seconds or more) if hostname resolution fails. For example: - If the system hostname is changed via hostnamectl or GNOME Settings, but - /etc/hosts is not updated accordingly (a common and silent - misconfiguration). - - If /etc/nsswitch.conf falls through to DNS and DNS is blocked (e.g. by a - VPN kill-switch). - - If systemd-resolved has no cached answer and cannot reach upstream - nameservers. + - If the system hostname is changed via hostnamectl or GNOME Settings, but /etc/hosts is not updated accordingly (a common and silent misconfiguration). + - If /etc/nsswitch.conf falls through to DNS and DNS is blocked (e.g. by a VPN kill-switch). + - If systemd-resolved has no cached answer and cannot reach upstream nameservers. In this scenario, sudo hangs until name resolution times out, then eventually proceeds. This behavior is surprising, and introduces an unnecessary point of failure in a critical tool that is expected to work even when the network is down. - Notably, upstream sudo does not enable FQDN resolution by default — this - is a Debian/Ubuntu-specific build option (--with-fqdn). Other - distributions like Fedora and Arch do not compile sudo this way, and do - not exhibit this behavior unless Defaults fqdn is explicitly configured. - + Notably, upstream sudo does not enable FQDN resolution by default. This + behavior comes from a Debian and Ubuntu-specific build option (--with- + fqdn). Other distributions, such as Fedora and Arch, do not compile sudo + with this option and therefore do not exhibit this behavior unless + Defaults fqdn is explicitly set in the sudoers file. --- System Information: - Ubuntu version: 24.04.2 LTS - sudo version: 1.9.15p5-3ubuntu5.24.04.1 --- For a detailed write-up and reproduction scenario see: https://anagogistis.com/posts/vpn-sudo-hang/ ** Description changed: sudo on Ubuntu (tested on 24.04) is compiled with the --with-fqdn flag, which causes it to perform FQDN resolution on the machine's own hostname before executing any command (even when there is no Defaults fqdn line in /etc/sudoers). - This can lead to noticeable hangs (30–60 seconds or more) if hostname - resolution fails. For example: - + This can lead to noticeable hangs (30–60 seconds or more) if hostname resolution fails. For example: - If the system hostname is changed via hostnamectl or GNOME Settings, but /etc/hosts is not updated accordingly (a common and silent misconfiguration). - If /etc/nsswitch.conf falls through to DNS and DNS is blocked (e.g. by a VPN kill-switch). - If systemd-resolved has no cached answer and cannot reach upstream nameservers. In this scenario, sudo hangs until name resolution times out, then - eventually proceeds. This behavior is surprising, and introduces an - unnecessary point of failure in a critical tool that is expected to work - even when the network is down. + eventually proceeds. Notably, upstream sudo does not enable FQDN resolution by default. This behavior comes from a Debian and Ubuntu-specific build option (--with- fqdn). Other distributions, such as Fedora and Arch, do not compile sudo with this option and therefore do not exhibit this behavior unless Defaults fqdn is explicitly set in the sudoers file. --- System Information: - Ubuntu version: 24.04.2 LTS - sudo version: 1.9.15p5-3ubuntu5.24.04.1 --- For a detailed write-up and reproduction scenario see: https://anagogistis.com/posts/vpn-sudo-hang/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2121898 Title: sudo hangs when hostname resolution fails due to FQDN lookup being enabled by default (--with-fqdn) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2121898/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
