FreeBSD Mail Archives

Date:      Tue, 22 Mar 2016 08:50:54 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   [Bug 208198] security/sudo-1.8.16: Segmentation Fault when using sudoers in LDAP
Message-ID:  <bug-208198-13@https.bugs.freebsd.org/bugzilla/>

next in thread | raw e-mail | index | archive | help

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D208198

            Bug ID: 208198
           Summary: security/sudo-1.8.16: Segmentation Fault when using
                    sudoers in LDAP
           Product: Ports & Packages
           Version: Latest
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs@FreeBSD.org
          Reporter: fredrik.eriksson@loopia.se

Since upgrading to security/sudo-1.8.16 I get segmentation fault whenever I=
'm
trying to use sudo as an unprivileged user. 1.8.15 worked fine.

For example: sudo -l works fine when running as root or when using a local
sudoers file, but when running as an unprivileged user and with LDAP enabled
sudo crashes with a segmentation fault.

With debuging of ldap enabled I get this output when it crashes:

sudo: LDAP Config Summary
sudo: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
sudo: uri              ldap://<hostname>
sudo: ldap_version     3
sudo: sudoers_base     <sudoers-base>
sudo: search_filter    (objectClass=3DsudoRole)
sudo: netgroup_base (NONE: will use nsswitch)
sudo: netgroup_search_filter (objectClass=3DnisNetgroup)
sudo: binddn           <bind-user>
sudo: bindpw           <bind-pwd>
sudo: bind_timelimit   10
sudo: timelimit        5
sudo: ssl              start_tls
sudo: tls_cacertfile   /etc/ssl/ca_cert.crt
sudo: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_cacertfile -> /etc/ssl/ca_cert.crt
sudo: ldap_set_option: tls_cacert -> /etc/ssl/ca_cert.crt
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 5
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 10)
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: Looking for cn=3Ddefaults: (&(objectClass=3DsudoRole)(cn=3Ddefaults))
sudo: no default options found in <sudoers-base>
Segmentation fault


Running the same as root gives me:

sudo: LDAP Config Summary
sudo: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
sudo: uri              ldap://<hostname>
sudo: ldap_version     3
sudo: sudoers_base     <sudoers-base>
sudo: search_filter    (objectClass=3DsudoRole)
sudo: netgroup_base (NONE: will use nsswitch)
sudo: netgroup_search_filter (objectClass=3DnisNetgroup)
sudo: binddn           <bind-user>
sudo: bindpw           <bind-pwd>
sudo: bind_timelimit   10
sudo: timelimit        5
sudo: ssl              start_tls
sudo: tls_cacertfile   /etc/ssl/ca_cert.crt
sudo: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_cacertfile -> /etc/ssl/ca_cert.crt
sudo: ldap_set_option: tls_cacert -> /etc/ssl/ca_cert.crt
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 5
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 10)
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: Looking for cn=3Ddefaults: (&(objectClass=3DsudoRole)(cn=3Ddefaults))
sudo: no default options found in <sudoers-base>
sudo: ldap search
'(&(objectClass=3DsudoRole)(|(sudoUser=3Droot)(sudoUser=3D%wheel)(sudoUser=
=3D%#0)(sudoUser=3D%operator)(sudoUser=3D%#5)(sudoUser=3DALL)))'
sudo: searching from base '<sudoers-base>'
sudo: adding search result
sudo: result now has 2 entries
sudo: ldap search '(&(objectClass=3DsudoRole)(sudoUser=3D*)(sudoUser=3D+*))'
sudo: searching from base '<sudoers-base>'
sudo: adding search result
sudo: result now has 2 entries
sudo: sorting remaining 2 entries
sudo: perform search for pwflag 54
sudo: done with LDAP searches
sudo: user_matches=3Dtrue
sudo: host_matches=3Dtrue
sudo: sudo_ldap_lookup(54)=3D0x02
sudo: ldap search for command list
sudo: reusing previous result (user root) with 2 entries
User root may run the following commands on <localhost>:
    (ALL) ALL
    (ALL) ALL
sudo: removing reusable search result

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-208198-13>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation