Created attachment 292439 [details] emerge-info After upgrading system (~amd64) approx 2 weeks ago sudo stopped working in certain situations. I use pam_mount to mount certain filesystems on login and unmount them on logout. If I run command sudo drop_caches I get error as below. If I downgrade to sudo to 1.8.2-r1, the error goes away. Errors occurs with other programs using sudo. Commands and results: # bin/sudoDropCaches <=== calls drop_caches script, which is allowed like this: %wheel ALL = (root) NOPASSWD:/usr/local/sbin/drop_caches Cleaning system caches sudo: pam_mount.c:417: modify_pm_count: Assertion `user != ((void *)0)' failed. bin/sudoDropCaches: line 2: 1776 Aborted sudo drop_caches drop_caches script is in root's PATH and it contains: #!/bin/bash echo "Cleaning system caches" sync echo 3 > /proc/sys/vm/drop_caches
I have a more general sudo config and I'm also using pam_mount and I'm getting the same error on every sudo command. /etc/sudoers: root ALL=(ALL) ALL %wheel ALL=(ALL) ALL Only added line in /etc/security/pam_mount.conf.xml: <!-- Volume definitions --> <volume user="martin" fstype="fuse" path="encfs#/home/.encfs-martin" mountpoint="/home/martin" options="allow_other,nonempty" /> As martin just a $ sudo echo test gives: test sudo: pam_mount.c:417: modify_pm_count: Assertion `user != ((void *)0)' failed. [1] 12802 abort sudo echo test I'll be happy to provide more information if requested. $ emerge --info Portage 2.1.10.34 (default/linux/amd64/10.0/desktop/gnome, gcc-4.5.3, glibc-2.13-r4, 3.1.0-gentoo-r1-odin x86_64) ================================================================= System uname: Linux-3.1.0-gentoo-r1-odin-x86_64-Intel-R-_Core-TM-_i5_CPU_M_560_@_2.67GHz-with-gentoo-2.1 Timestamp of tree: Wed, 16 Nov 2011 14:15:01 +0000 distcc 3.1 x86_64-pc-linux-gnu [disabled] app-shells/bash: 4.2_p10 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.7.2-r3, 3.2.2 dev-util/cmake: 2.8.6-r3 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.1 sys-apps/openrc: 0.9.4 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.11.1-r1 sys-devel/binutils: 2.21.1-r1 sys-devel/gcc: 4.5.3-r1 sys-devel/gcc-config: 1.5-r2 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r3 sys-kernel/linux-headers: 2.6.39 (virtual/os-headers) sys-libs/glibc: 2.13-r4 Repositories: gentoo odin gnome systemd ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=core2 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=core2 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox sfperms splitdebug strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="" GENTOO_MIRRORS="ftp://91.121.124.139/gentoo-distfiles/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/" LANG="C" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j5 -l6" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage /var/lib/layman/gnome /var/lib/layman/systemd" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="X a52 aac acpi alsa amd64 amr avahi berkdb bluetooth branding bzip2 cairo cdda cli colord consolekit cracklib crypt cups cxx dbus dirac divx dri dts dvb emboss encode exif faac faad fam ffmpeg firefox flac fuse gdbm gdu gif gnome gnome-keyring gstreamer gtk gtk3 iconv idn inotify introspection ipv6 jpeg lame lcms libnotify mad mmx mng modules mp3 mp4 mpeg mudflap multilib nautilus ncurses networkmanager nls nptl nptlonly ogg opengl openmp pam pango pcre pdf png policykit ppds pppd pulseaudio readline realmedia samba schroedinger sdl session spell sse sse2 ssl startup-notification svg sysfs syslog systemd tcpd theora tiff truetype udev unicode usb v4l v4l2 vim-syntax vorbis wmp x264 xcb xinerama xml xorg xulrunner xv xvid zlib zsh-completion" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS $ emerge -pv sudo pam_mount [ebuild R ] sys-auth/pam_mount-2.12 USE="crypt ssl (-selinux)" 278 kB [ebuild R ] app-admin/sudo-1.8.3_p1-r2 USE="pam -ldap -offensive (-selinux) -skey" 1,501 kB
Same problem on my system: - sudo-1.8.3_p1-r2 - pam_mount-2.12 I'm using pam_mount to mount an encfs filesystem. This bug is also referenced at debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648698
Problem persists on app-admin/sudo-1.8.4_p1
And app-admin/sudo-1.8.4_p2
I'm reverting back to app-admin/sudo-1.8.2-r1 an it works.
Same here! I also tried upgrading to sys-auth/pam_mount-2.13 but it didn't help. Why in the world did Gentoo remove app-admin/sudo-1.8.2-r1 from portage tree? We need it! This bug is UNRESOLVED so until Debian (or anyone else) manages to fix it, please put it back because we need it! Sorry for the rant... it's just that I don't understand why we have 30 versions of gcc, yet we can't keep an older version of "sudo" around.
(In reply to comment #6) > [...] > Why in the world did Gentoo remove app-admin/sudo-1.8.2-r1 from portage > tree? Because it had a serious vulnerability: http://www.sudo.ws/sudo/alerts/sudo_debug.html
Thanks for your answer Martin, it totally makes sense given the seriousness of the vulnerability. However the question remains: does anyone know how to make pam_mount work properly with these newer sudo versions? Is there a /etc/security configuration trick (or something else) that does the job?
There is a fix for version 1.8.0-1.8.3 - http://www.sudo.ws/sudo/alerts/sudo_debug.html says: "For sudo versions 1.8.0-1.8.3, the patch to sudo.c in sudo-1.8.3p2.patch.gz will also apply."
Great news! I would suggest to include a patched app-admin/sudo-1.8.2-r2 in the tree... that would resolve the problem for all affected users (which is pretty much everyone who uses pam-mount at the moment!). I haven't really looked but I suppose some other distros have probably applied the same kind of patch, as few of them can afford to systematically upgrade packages like Gentoo does.
Created attachment 310851 [details, diff] (upstream) Patch to fix the issue I don't think that the sudo_debug page that was linked here is about the same issue, it seems something completely different to me. I attach a patch that fixes the bug (I tried applying it and I get no more pam-mount-related errors). This is the patch applied by Ubuntu to fix the same problem: https://bugs.launchpad.net/ubuntu/precise/+source/sudo/+bug/927828 Can anyone commit this?
Sudo 1.8.6 is stable now. Is it fixed in that version?
I'm using sudo 1.8.6_p7 (latest stable) and pam_mount 2.14 (unstable) and I have no problem. Since the fix was for sudo, I guess it should work even with a stable pam_mount, unless a workaround was added in pam_mount 2.14.
