After updating from app-admin/sudo-1.9.7_p2 to app-admin/sudo-1.9.8 (with USE flag sssd enabled) sudo segmentation faults when executed. Workaround is to downgrade to app-admin/sudo-1.9.7_p2 because it is working correctly. app-admin/sudo works correctly without `sssd` USE flag enabled. Reproducible: Always Steps to Reproduce: 1. Update to app-admin/sudo-1.9.8 with USE flag sssd enabled Actual Results: When `sudo command` is executed it segmentation faults. `sudo -l` works and includes entries from sssd. Expected Results: Command is executed successfully using sudo Running the command through gdb prints: Reading symbols from /usr/bin/sudo... (No debugging symbols found in /usr/bin/sudo) (gdb) r Starting program: /usr/bin/sudo [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? [Inferior 1 (process 652552) exited with code 01] -- It does not seem to cause a segmentation fault but print an error. This error is also printed when executed through strace. % findmnt /usr TARGET SOURCE FSTYPE OPTIONS /usr /dev/mapper/vg00-usr ext4 rw,noatime # ls -l /usr/bin/sudo -rws--x--x 1 root root 225432 Sep 14 12:34 /usr/bin/sudo Portage 3.0.23 (python 3.9.7-final-0, default/linux/amd64/17.1/systemd, gcc-11.2.0, glibc-2.33-r7, 5.14.2-gentoo x86_64) ================================================================= System Settings ================================================================= System uname: Linux-5.14.2-gentoo-x86_64-AMD_Ryzen_7_1800X_Eight-Core_Processor-with-glibc2.33 KiB Mem: 32819028 total, 11312652 free KiB Swap: 0 total, 0 free Timestamp of repository gentoo: Tue, 14 Sep 2021 08:00:01 +0000 Head commit of repository gentoo: c3b0fb0c5a039c91b39cf2410de16ac0a38dd76c Timestamp of repository guru: Sun, 12 Sep 2021 07:21:25 +0000 Head commit of repository guru: fc4c31b11e33b1059a766c8785c300bc96d19dd8 Timestamp of repository jorgicio: Tue, 14 Sep 2021 01:36:22 +0000 Head commit of repository jorgicio: c38b41cfe51631c5393c53e1856cd80f3582f8e3 Timestamp of repository pentoo: Tue, 14 Sep 2021 05:06:21 +0000 Head commit of repository pentoo: b8d78e752a656c976e9168d077b93e661374eeed Timestamp of repository steam-overlay: Wed, 08 Sep 2021 12:51:32 +0000 Head commit of repository steam-overlay: b8f5a2ad298aedc39aa808f5e9ee5f70ec86cd70 sh bash 5.1_p8 ld GNU ld (Gentoo 2.36.1 p4) 2.36.1 ccache version 4.4.1 [enabled] app-shells/bash: 5.1_p8::gentoo dev-java/java-config: 2.3.1::gentoo dev-lang/perl: 5.34.0-r2::gentoo dev-lang/python: 2.7.18_p13::gentoo, 3.8.11::gentoo, 3.9.7::gentoo, 3.10.0_rc2::gentoo dev-lang/rust: 1.55.0::gentoo dev-util/ccache: 4.4.1::gentoo dev-util/cmake: 3.21.2::gentoo sys-apps/baselayout: 2.7-r3::gentoo sys-apps/sandbox: 2.25::gentoo sys-devel/autoconf: 2.13-r1::gentoo, 2.71-r1::gentoo sys-devel/automake: 1.16.4::gentoo sys-devel/binutils: 2.36.1-r2::gentoo, 2.37_p1::gentoo sys-devel/gcc: 11.2.0::gentoo sys-devel/gcc-config: 2.4::gentoo sys-devel/libtool: 2.4.6-r6::gentoo sys-devel/make: 4.3::gentoo sys-kernel/linux-headers: 5.14::gentoo (virtual/os-headers) sys-libs/glibc: 2.33-r7::gentoo Repositories: gentoo location: /var/db/repos/gentoo sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 sync-rsync-verify-jobs: 1 sync-rsync-verify-metamanifest: yes sync-rsync-verify-max-age: 24 sync-rsync-extra-opts: anders-larsson location: /var/db/repos/anders-larsson masters: gentoo guru location: /var/db/repos/guru sync-type: git sync-uri: https://github.com/gentoo-mirror/guru.git masters: gentoo jorgicio location: /var/db/repos/jorgicio sync-type: git sync-uri: https://github.com/gentoo-mirror/jorgicio.git masters: gentoo pentoo location: /var/db/repos/pentoo sync-type: git sync-uri: https://github.com/gentoo-mirror/pentoo.git masters: gentoo steam-overlay location: /var/db/repos/steam-overlay sync-type: git sync-uri: https://github.com/gentoo-mirror/steam-overlay.git masters: gentoo Installed sets: @fonts, @yubikey ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="@FREE all-rights-reserved free-noncomm linux-fw-redistributable no-source-code CC-BY-NC-4.0" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/var/cache/distfiles" EMERGE_DEFAULT_OPTS="--with-bdeps y --complete-graph y --jobs=5 --load-average=10 --quiet-build" ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG _RUNTIME_DIR" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance ccache config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multili b-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userf etch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="https://ftp.snt.utwente.nl/pub/os/linux/gentoo" LANG="en_GB.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="en_GB en_US en sv sv_SE" MAKEOPTS="-j7" PKGDIR="/var/cache/binpkgs" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="X acl acpi alsa amd64 bluray bzip2 cairo cleartype cli corefonts crypt custom-optimization dbus dri egl firefox firewalld fortran gdbm gtk gtk3 iconv ipv6 jpeg jumbo-build libglvnd libnotify libtirpc lm_sensors mplayer multilib ncurses nls nptl offensive ogg openal opengl openmp pam pcre pdf pgo png polkit pulseaudio qt5 readline seccomp split-usr ssl syslog systemd tcpd tru etype udev udisks unicode vaapi vdpau vim-syntax x264 xattr xcb xcomposite xv xvmc zlib zsh-completion" ABI_X86="64 32" ADA_TARGET="gnat_2018" ALSA_CARDS="hda-intel" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="a es avx avx2 f16c fma3 mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3" CURL_SSL="gnutls" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput" KERNEL="linu x" L10N="en-GB en-US en sv sv-SE" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LLVM_TARGETS="X86" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-3 php7-4" POSTGRES_TARGETS="postgres12 postgres13" PYTHON_SINGLE_TARGET="python3 _9" PYTHON_TARGETS="python3_9" QEMU_SOFTMMU_TARGETS="x86_64 i386" QEMU_USER_TARGETS="x86_64 i386" RUBY_TARGETS="ruby26 ruby27 ruby30" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, RUSTFLAGS ================================================================= Package Settings ================================================================= app-admin/sudo-1.9.8::gentoo was built with the following: USE="nls offensive pam secure-path sendmail ssl sssd -gcrypt -ldap -sasl (-selinux) -skey" ABI_X86="(64)"
This does not appear to impact all users with sudo rules populated by sssd. So far it seems only my primary user is getting segmentation faults and no other users on the system. BTW. I'm also getting the "... effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' ..." error when executing sudo through gdb/strace for users where it is working so please disregard that message.
> "... effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' Same here.
This is an upstream bug fixed in sudo 1.9.8_p1, it seems: ``` * Fixed a crash with "sudo ALL" rules in the LDAP and SSSD back-ends. This is a regression introduced in sudo 1.9.8. Bug #994. ``` https://bugzilla.sudo.ws/show_bug.cgi?id=994
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b59c922b7aac628c2411d60f466b0136d4735f7d commit b59c922b7aac628c2411d60f466b0136d4735f7d Author: Sam James <sam@gentoo.org> AuthorDate: 2021-09-16 22:04:51 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-09-16 22:04:51 +0000 app-admin/sudo: add 1.9.8_p1 Closes: https://bugs.gentoo.org/813039 Signed-off-by: Sam James <sam@gentoo.org> app-admin/sudo/Manifest | 1 + app-admin/sudo/sudo-1.9.8_p1.ebuild | 255 ++++++++++++++++++++++++++++++++++++ 2 files changed, 256 insertions(+) Additionally, it has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e62a1449ffda62e825e84e1028be8b971ac33fb commit 6e62a1449ffda62e825e84e1028be8b971ac33fb Author: Sam James <sam@gentoo.org> AuthorDate: 2021-09-16 22:05:13 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-09-16 22:05:24 +0000 app-admin/sudo: drop 1.9.8 Bug: https://bugs.gentoo.org/813039 Signed-off-by: Sam James <sam@gentoo.org> app-admin/sudo/Manifest | 1 - app-admin/sudo/sudo-1.9.8.ebuild | 255 --------------------------------------- 2 files changed, 256 deletions(-)
With _p1 - still the same! (1.9.7 works) sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges? (on non-NFS and no-nosuid system)
(In reply to Jan Psota from comment #5) > With _p1 - still the same! (1.9.7 works) > sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the > 'nosuid' option set or an NFS file system without root privileges? > (on non-NFS and no-nosuid system) This sounds like a separate bug to the sssd crash issue?
I can confirm that the update resolved the issue with sudo segmentation faulting when built with the USE flag sssd. Thanks!
> This sounds like a separate bug to the sssd crash issue? USE flags on my system (sendmail turned off, amd64/17.1/systemd defaults) app-admin/sudo-1.9.8_p1::gentoo [1.9.7_p2::gentoo] USE="nls pam secure-path ssl -gcrypt -ldap -offensive -sasl (-selinux) -sendmail -skey -sssd"
(In reply to Jan Psota from comment #8) > > This sounds like a separate bug to the sssd crash issue? > USE flags on my system (sendmail turned off, amd64/17.1/systemd defaults) > > app-admin/sudo-1.9.8_p1::gentoo [1.9.7_p2::gentoo] USE="nls pam secure-path > ssl -gcrypt -ldap -offensive -sasl (-selinux) -sendmail -skey -sssd" I think I still need you to file a new bug for this in Gentoo and then ideally upstream.
(In reply to Anders Larsson from comment #7) > I can confirm that the update resolved the issue with sudo segmentation > faulting when built with the USE flag sssd. Thanks! Thanks for the confirmation!
(In reply to Sam James from comment #9) > (In reply to Jan Psota from comment #8) > > > This sounds like a separate bug to the sssd crash issue? > > USE flags on my system (sendmail turned off, amd64/17.1/systemd defaults) > > > > app-admin/sudo-1.9.8_p1::gentoo [1.9.7_p2::gentoo] USE="nls pam secure-path > > ssl -gcrypt -ldap -offensive -sasl (-selinux) -sendmail -skey -sssd" > > I think I still need you to file a new bug for this in Gentoo and then > ideally upstream. This still applies, but 1.9.8_p2 may work.
_p2 works! :-D Now it is "RESOLVED FIXED" ;-)
