From owner-freebsd-i386@FreeBSD.ORG  Wed Aug  2 18:30:17 2006
Return-Path: <owner-freebsd-i386@FreeBSD.ORG>
X-Original-To: freebsd-i386@hub.freebsd.org
Delivered-To: freebsd-i386@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D08F116A4DA
	for <freebsd-i386@hub.freebsd.org>;
	Wed,  2 Aug 2006 18:30:17 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 488B443D46
	for <freebsd-i386@hub.freebsd.org>;
	Wed,  2 Aug 2006 18:30:17 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k72IUHe3080305
	for <freebsd-i386@freefall.freebsd.org>; Wed, 2 Aug 2006 18:30:17 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k72IUH3d080300;
	Wed, 2 Aug 2006 18:30:17 GMT (envelope-from gnats)
Resent-Date: Wed, 2 Aug 2006 18:30:17 GMT
Resent-Message-Id: <200608021830.k72IUH3d080300@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-i386@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Patrick Wolfe <pwolfe@employease.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7B6D316A4DD
	for <freebsd-gnats-submit@FreeBSD.org>;
	Wed,  2 Aug 2006 18:21:53 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2822243D53
	for <freebsd-gnats-submit@FreeBSD.org>;
	Wed,  2 Aug 2006 18:21:53 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k72ILqi2021400
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 2 Aug 2006 18:21:52 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k72ILqdv021399;
	Wed, 2 Aug 2006 18:21:52 GMT (envelope-from nobody)
Message-Id: <200608021821.k72ILqdv021399@www.freebsd.org>
Date: Wed, 2 Aug 2006 18:21:52 GMT
From: Patrick Wolfe <pwolfe@employease.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-2.3
Cc: 
Subject: i386/101275: bug fixed in sudo that prevented use in LDAP user
	account environment
X-BeenThere: freebsd-i386@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: I386-specific issues for FreeBSD <freebsd-i386.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-i386>,
	<mailto:freebsd-i386-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-i386>
List-Post: <mailto:freebsd-i386@freebsd.org>
List-Help: <mailto:freebsd-i386-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-i386>,
	<mailto:freebsd-i386-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Aug 2006 18:30:18 -0000


>Number:         101275
>Category:       i386
>Synopsis:       bug fixed in sudo that prevented use in LDAP user account environment
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-i386
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 02 18:30:16 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Patrick Wolfe
>Release:        6.1
>Organization:
Employease Inc
>Environment:
FreeBSD kobe.tek.eease.com 6.1-RELEASE FreeBSD 6.1-RELEASE #0: Sun May  7 04:42:56 UTC 2006     root@opus.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP  i386
>Description:
Our network uses LDAP login authentication.  It's working fine on CentOS 4.3,
FreeBSD 5.4 and FreeBSD 6.1, except on the FreeBSD boxes, sudo V1.6.8p12 (from
the ports tree) only works if the user has an entry in the local password file.
LDAP accounts get the error message "uid ##### does not exist in the passwd file".

I did some troubleshooting, and discovered that if I comment out line 174 of file sudo.c (environ = zero_env(envp);) sudo works for ldap accounts.

I searched for the use of "environ" variable, and learned that line 174 of sudo.c, "environ = zero_env(envp);", is not needed at all, since the value of environ is never used before it's reassigned later at line 414.

I have reported this to the SUDO maintainers as well, but thought the FreeBSD ports maintainers and any other FREEBSD/LDAP users might like to know about this fix as well.

Attached is a simple patch to fix the problem.


>How-To-Repeat:
- configure a FreeBSD box to use pam_ldap and nss_ldap for centralized network account management
- login to said box using an account that is defined in LDAP database, NOT in the local /etc/passwd file.
- attempt to run "sudo"
- stare in amazement when sudo reports your uid is not found in /etc/passwd (well DUH!)

>Fix:
Apply this patch

*** sudo.c.orig Wed Aug  2 14:13:27 2006
--- sudo.c      Wed Aug  2 14:18:17 2006
***************
*** 171,177 ****
  #endif /* HAVE_GETPRPWNAM && HAVE_SET_AUTH_PARAMETERS */

      /* Zero out the environment. */
!     environ = zero_env(envp);

      if (geteuid() != 0)
        errx(1, "must be setuid root");
--- 171,183 ----
  #endif /* HAVE_GETPRPWNAM && HAVE_SET_AUTH_PARAMETERS */

      /* Zero out the environment. */
!     /*
!      * after the call to zero_env, all later calls to
!      * getpwuid(getuid()) are broken for NON-LOCAL accounts,
!      * and besides that, the value assigned to environ is NEVER USED.
!      * ... pjw 2006-08-02
!      */
!     /*environ = zero_env(envp);*/

      if (geteuid() != 0)
        errx(1, "must be setuid root");

>Release-Note:
>Audit-Trail:
>Unformatted: