From owner-freebsd-current  Mon Jan 21  8:35:18 2002
Delivered-To: freebsd-current@freebsd.org
Received: from mail.webjockey.net (mail.webjockey.net [208.141.46.3])
	by hub.freebsd.org (Postfix) with ESMTP id 5F8D037B400
	for <current@FreeBSD.ORG>; Mon, 21 Jan 2002 08:35:12 -0800 (PST)
Received: from outloud.org (IDENT:nobody@home.webjockey.net [208.141.46.11])
	(authenticated)
	by mail.webjockey.net (8.11.6/8.11.6) with ESMTP id g0LGXss44749;
	Mon, 21 Jan 2002 11:34:02 -0500 (EST)
	(envelope-from gary@outloud.org)
Received: from 63.68.129.181
        (SquirrelMail authenticated user ancient)
        by test.outloud.org with HTTP;
        Mon, 21 Jan 2002 11:33:57 -0500 (EST)
Message-ID: <1699.63.68.129.181.1011630837.squirrel@test.outloud.org>
Date: Mon, 21 Jan 2002 11:33:57 -0500 (EST)
Subject: Re: sudo redu
From: "Storms of Perfection" <gary@outloud.org>
To: <matusita@jp.FreeBSD.org>
In-Reply-To: <20020120041357U.matusita@jp.FreeBSD.org>
References: <20020120041357U.matusita@jp.FreeBSD.org>
X-Priority: 3
Importance: Normal
X-MSMail-Priority: Normal
Cc: <current@FreeBSD.ORG>
X-Mailer: SquirrelMail (version 1.2.3 [cvs])
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG

The problem(s) with sudo have been fixed in the latest sudo CVS release.
This works for me on -CURRENT as of December 16th, 2001 and RELENG_4


--- /tmp/sudo-1.6.5p1/auth/pam.c       Mon Dec 31 12:18:12 2001
+++ /home/ancient/test/sudo/auth/pam.c      Mon Jan 21 06:54:37 2002
@@ -66,7 +66,7 @@
 #include "sudo_auth.h"

 #ifndef lint
-static const char rcsid[] = "$Sudo: pam.c,v 1.23 2001/12/31 17:18:12
millert Exp $";
+static const char rcsid[] = "$Sudo: pam.c,v 1.25 2002/01/20 19:21:33
millert Exp $";
 #endif /* lint */

 static int sudo_conv __P((int, PAM_CONST struct pam_message **,
@@ -163,7 +163,6 @@
     struct pam_conv pam_conv;
     pam_handle_t *pamh;
     const char *s;
-    int error;

     /* We need to setup a new PAM session for the user we are changing
*to*. */
     pam_conv.conv = sudo_conv;
@@ -176,16 +175,19 @@
     if (strcmp(user_tty, "unknown"))
        (void) pam_set_item(pamh, PAM_TTY, user_tty);

-    /* Set credentials (may include resource limits, device ownership,
etc). */
-    if ((error = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
-       if ((s = pam_strerror(pamh, error)))
-           log_error(NO_EXIT|NO_MAIL, "pam_setcred: %s", s);
-    }
+    /*
+     * Set credentials (may include resource limits, device ownership,
etc).
+     * We don't check the return value here because in Linux-PAM 0.75
+     * it returns the last saved return code, not the return code
+     * for the setcred module.  Because we haven't called pam_authenticate
(),
+     * this is not set and so pam_setcred() returns PAM_PERM_DENIED.
+     */
+    (void) pam_setcred(pamh, PAM_ESTABLISH_CRED);

-    if (pam_end(pamh, error) != PAM_SUCCESS)
+    if (pam_end(pamh, PAM_SUCCESS) == PAM_SUCCESS)
+       return(PAM_SUCCESS);
+    else
        return(AUTH_FAILURE);
-
-    return(error == PAM_SUCCESS ? AUTH_SUCCESS : AUTH_FAILURE);
 }

 /*
@@ -219,7 +221,9 @@
                /* Read the password. */
                pr->resp = estrdup((char *) tgetpass(p,
                    def_ival(I_PASSWD_TIMEOUT) * 60, tgetpass_flags));
-               if (pr->resp == NULL || *pr->resp == '\0')
+               if (pr->resp == NULL)
+                   pr->resp = "";
+               if (*pr->resp == '\0')
                    nil_pw = 1;         /* empty password */
                break;
            case PAM_TEXT_INFO:

>
> FYI: pam_setcred() call seems used in OpenSSH, ftpd, rshd, login, and
> su already included in FreeBSD source code.
>
> <URL:http://snapshots.jp.freebsd.org/tour/current/cgi-bin/global.cgi?
pattern=pam_setcred&id=&type=reference>
>
> imp> OK.  This looks like a problem in 1.6.4p1 of sudo.  It isn't a
> problem imp> with 1.6.3p7_2.  1.6.4 works on -stable, but not -current.
>
> I've checked about new sudo's behavior on some OSes:
>
> Debian (woody)		sudo-1.6.4.1	OK (tested on 1 machine)
> FreeBSD 2.2.8-RELEASE	sudo-1.6.5.1	OK (tested on 1 machine)
> FreeBSD 3.4-stable	sudo-1.6.5.1	NG (tested on 1 machine)
> FreeBSD 4-stable	sudo-1.6.5.1	OK (tested on some machines)
> FreeBSD 5-current	sudo-1.6.5.1	OK / NG  (tested on some machines)
>
> "OK / NG" means that "some machines work fine, but some machines goes
> wrong".
>
> ***
>
> I don't know what's the real problem, but it seems that sudo doesn't
> have the problem IMHO.  Anyone has a solution about this problem?
>
> -- -
> Makoto `MAR' Matsushita
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-current" in the body of the message


Gary Stanley
Network Security Engineer
PRECISIONet, Inc.
(877) 595-8570

Tickle us, do we not laugh? Prick us, do we not bleed? Wrong us, shall we
not revenge?" (Merchant of Venice II i 56-63, paraphrase)




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message