Bug 813039

Summary:	app-admin/sudo-1.9.8[sssd] segmentation faults when executed
Product:	Gentoo Linux	Reporter:	Anders Larsson <anders.gentoo>
Component:	Current packages	Assignee:	Gentoo's Team for Core System packages <base-system>
Status:	RESOLVED FIXED
Severity:	normal	CC:	gentoo, michael, sam
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Anders Larsson 2021-09-14 11:25:06 UTC

After updating from app-admin/sudo-1.9.7_p2 to app-admin/sudo-1.9.8 (with USE flag sssd enabled) sudo segmentation faults when executed.

Workaround is to downgrade to app-admin/sudo-1.9.7_p2 because it is working correctly.

app-admin/sudo works correctly without `sssd` USE flag enabled.

Reproducible: Always

Steps to Reproduce:
1. Update to app-admin/sudo-1.9.8 with USE flag sssd enabled
Actual Results:  
When `sudo command` is executed it segmentation faults.

`sudo -l` works and includes entries from sssd.

Expected Results:  
Command is executed successfully using sudo

Running the command through gdb prints:

Reading symbols from /usr/bin/sudo...
(No debugging symbols found in /usr/bin/sudo)
(gdb) r
Starting program: /usr/bin/sudo
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
[Inferior 1 (process 652552) exited with code 01]

--

It does not seem to cause a segmentation fault but print an error. This error is also printed when executed through strace.

% findmnt /usr
TARGET SOURCE               FSTYPE OPTIONS
/usr   /dev/mapper/vg00-usr ext4   rw,noatime

# ls -l /usr/bin/sudo
-rws--x--x 1 root root 225432 Sep 14 12:34 /usr/bin/sudo


Portage 3.0.23 (python 3.9.7-final-0, default/linux/amd64/17.1/systemd, gcc-11.2.0, glibc-2.33-r7, 5.14.2-gentoo x86_64)
=================================================================
                         System Settings
=================================================================
System uname: Linux-5.14.2-gentoo-x86_64-AMD_Ryzen_7_1800X_Eight-Core_Processor-with-glibc2.33
KiB Mem:    32819028 total,  11312652 free
KiB Swap:          0 total,         0 free
Timestamp of repository gentoo: Tue, 14 Sep 2021 08:00:01 +0000
Head commit of repository gentoo: c3b0fb0c5a039c91b39cf2410de16ac0a38dd76c
Timestamp of repository guru: Sun, 12 Sep 2021 07:21:25 +0000
Head commit of repository guru: fc4c31b11e33b1059a766c8785c300bc96d19dd8

Timestamp of repository jorgicio: Tue, 14 Sep 2021 01:36:22 +0000
Head commit of repository jorgicio: c38b41cfe51631c5393c53e1856cd80f3582f8e3

Timestamp of repository pentoo: Tue, 14 Sep 2021 05:06:21 +0000
Head commit of repository pentoo: b8d78e752a656c976e9168d077b93e661374eeed

Timestamp of repository steam-overlay: Wed, 08 Sep 2021 12:51:32 +0000
Head commit of repository steam-overlay: b8f5a2ad298aedc39aa808f5e9ee5f70ec86cd70

sh bash 5.1_p8
ld GNU ld (Gentoo 2.36.1 p4) 2.36.1
ccache version 4.4.1 [enabled]
app-shells/bash:          5.1_p8::gentoo
dev-java/java-config:     2.3.1::gentoo
dev-lang/perl:            5.34.0-r2::gentoo
dev-lang/python:          2.7.18_p13::gentoo, 3.8.11::gentoo, 3.9.7::gentoo, 3.10.0_rc2::gentoo
dev-lang/rust:            1.55.0::gentoo
dev-util/ccache:          4.4.1::gentoo
dev-util/cmake:           3.21.2::gentoo
sys-apps/baselayout:      2.7-r3::gentoo
sys-apps/sandbox:         2.25::gentoo
sys-devel/autoconf:       2.13-r1::gentoo, 2.71-r1::gentoo
sys-devel/automake:       1.16.4::gentoo
sys-devel/binutils:       2.36.1-r2::gentoo, 2.37_p1::gentoo
sys-devel/gcc:            11.2.0::gentoo
sys-devel/gcc-config:     2.4::gentoo
sys-devel/libtool:        2.4.6-r6::gentoo
sys-devel/make:           4.3::gentoo
sys-kernel/linux-headers: 5.14::gentoo (virtual/os-headers)
sys-libs/glibc:           2.33-r7::gentoo
Repositories:

gentoo
    location: /var/db/repos/gentoo
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000
    sync-rsync-verify-jobs: 1
    sync-rsync-verify-metamanifest: yes
    sync-rsync-verify-max-age: 24
    sync-rsync-extra-opts:

anders-larsson
    location: /var/db/repos/anders-larsson
    masters: gentoo

guru
    location: /var/db/repos/guru
    sync-type: git
    sync-uri: https://github.com/gentoo-mirror/guru.git
    masters: gentoo

jorgicio
    location: /var/db/repos/jorgicio
    sync-type: git
    sync-uri: https://github.com/gentoo-mirror/jorgicio.git
    masters: gentoo

pentoo
    location: /var/db/repos/pentoo
    sync-type: git
    sync-uri: https://github.com/gentoo-mirror/pentoo.git
    masters: gentoo
    
steam-overlay
    location: /var/db/repos/steam-overlay
    sync-type: git
    sync-uri: https://github.com/gentoo-mirror/steam-overlay.git
    masters: gentoo

Installed sets: @fonts, @yubikey
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="@FREE all-rights-reserved free-noncomm linux-fw-redistributable no-source-code CC-BY-NC-4.0"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/var/cache/distfiles"
EMERGE_DEFAULT_OPTS="--with-bdeps y --complete-graph y --jobs=5 --load-average=10 --quiet-build"
ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG
_RUNTIME_DIR"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance ccache config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multili
b-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userf
etch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="https://ftp.snt.utwente.nl/pub/os/linux/gentoo"
LANG="en_GB.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en_GB en_US en sv sv_SE"
MAKEOPTS="-j7"
PKGDIR="/var/cache/binpkgs"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X acl acpi alsa amd64 bluray bzip2 cairo cleartype cli corefonts crypt custom-optimization dbus dri egl firefox firewalld fortran gdbm gtk gtk3 iconv ipv6 jpeg jumbo-build libglvnd libnotify libtirpc lm_sensors mplayer multilib ncurses nls nptl offensive ogg openal opengl openmp pam pcre pdf pgo png polkit pulseaudio qt5 readline seccomp split-usr ssl syslog systemd tcpd tru
etype udev udisks unicode vaapi vdpau vim-syntax x264 xattr xcb xcomposite xv xvmc zlib zsh-completion" ABI_X86="64 32" ADA_TARGET="gnat_2018" ALSA_CARDS="hda-intel" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user
autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="a
es avx avx2 f16c fma3 mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3" CURL_SSL="gnutls" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput" KERNEL="linu
x" L10N="en-GB en-US en sv sv-SE" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LLVM_TARGETS="X86" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-3 php7-4" POSTGRES_TARGETS="postgres12 postgres13" PYTHON_SINGLE_TARGET="python3
_9" PYTHON_TARGETS="python3_9" QEMU_SOFTMMU_TARGETS="x86_64 i386" QEMU_USER_TARGETS="x86_64 i386" RUBY_TARGETS="ruby26 ruby27 ruby30" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, RUSTFLAGS

=================================================================
                        Package Settings
=================================================================

app-admin/sudo-1.9.8::gentoo was built with the following:
USE="nls offensive pam secure-path sendmail ssl sssd -gcrypt -ldap -sasl (-selinux) -skey" ABI_X86="(64)"

Comment 1 Anders Larsson 2021-09-14 12:15:50 UTC

This does not appear to impact all users with sudo rules populated by sssd. So far it seems only my primary user is getting segmentation faults and no other users on the system.

BTW. I'm also getting the "... effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' ..." error when executing sudo through gdb/strace for users where it is working so please disregard that message.

Comment 2 Jan Psota 2021-09-15 08:46:18 UTC

> "... effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid'
Same here.

Comment 3 Sam James archtester

2021-09-16 19:58:43 UTC

This is an upstream bug fixed in sudo 1.9.8_p1, it seems:
```
* Fixed a crash with "sudo ALL" rules in the LDAP and SSSD back-ends.
  This is a regression introduced in sudo 1.9.8.  Bug #994.
```

https://bugzilla.sudo.ws/show_bug.cgi?id=994

Comment 4 Larry the Git Cow gentoo-dev

2021-09-16 22:06:36 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b59c922b7aac628c2411d60f466b0136d4735f7d

commit b59c922b7aac628c2411d60f466b0136d4735f7d
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-09-16 22:04:51 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-09-16 22:04:51 +0000

    app-admin/sudo: add 1.9.8_p1
    
    Closes: https://bugs.gentoo.org/813039
    Signed-off-by: Sam James <sam@gentoo.org>

 app-admin/sudo/Manifest             |   1 +
 app-admin/sudo/sudo-1.9.8_p1.ebuild | 255 ++++++++++++++++++++++++++++++++++++
 2 files changed, 256 insertions(+)

Additionally, it has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6e62a1449ffda62e825e84e1028be8b971ac33fb

commit 6e62a1449ffda62e825e84e1028be8b971ac33fb
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-09-16 22:05:13 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-09-16 22:05:24 +0000

    app-admin/sudo: drop 1.9.8
    
    Bug: https://bugs.gentoo.org/813039
    Signed-off-by: Sam James <sam@gentoo.org>

 app-admin/sudo/Manifest          |   1 -
 app-admin/sudo/sudo-1.9.8.ebuild | 255 ---------------------------------------
 2 files changed, 256 deletions(-)

Comment 5 Jan Psota 2021-09-18 19:20:57 UTC

With _p1 - still the same! (1.9.7 works)
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
(on non-NFS and no-nosuid system)

Comment 6 Sam James archtester

2021-09-18 19:36:45 UTC

(In reply to Jan Psota from comment #5)
> With _p1 - still the same! (1.9.7 works)
> sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the
> 'nosuid' option set or an NFS file system without root privileges?
> (on non-NFS and no-nosuid system)

This sounds like a separate bug to the sssd crash issue?

Comment 7 Anders Larsson 2021-09-18 21:19:09 UTC

I can confirm that the update resolved the issue with sudo segmentation faulting when built with the USE flag sssd. Thanks!

Comment 8 Jan Psota 2021-09-20 06:15:48 UTC

> This sounds like a separate bug to the sssd crash issue?
USE flags on my system (sendmail turned off, amd64/17.1/systemd defaults)

app-admin/sudo-1.9.8_p1::gentoo [1.9.7_p2::gentoo] USE="nls pam secure-path ssl -gcrypt -ldap -offensive -sasl (-selinux) -sendmail -skey -sssd"

Comment 9 Sam James archtester

2021-09-20 07:23:04 UTC

(In reply to Jan Psota from comment #8)
> > This sounds like a separate bug to the sssd crash issue?
> USE flags on my system (sendmail turned off, amd64/17.1/systemd defaults)
> 
> app-admin/sudo-1.9.8_p1::gentoo [1.9.7_p2::gentoo] USE="nls pam secure-path
> ssl -gcrypt -ldap -offensive -sasl (-selinux) -sendmail -skey -sssd"

I think I still need you to file a new bug for this in Gentoo and then ideally upstream.

Comment 10 Sam James archtester

2021-09-20 07:23:15 UTC

(In reply to Anders Larsson from comment #7)
> I can confirm that the update resolved the issue with sudo segmentation
> faulting when built with the USE flag sssd. Thanks!

Thanks for the confirmation!

Comment 11 Sam James archtester

2021-09-21 17:46:04 UTC

(In reply to Sam James from comment #9)
> (In reply to Jan Psota from comment #8)
> > > This sounds like a separate bug to the sssd crash issue?
> > USE flags on my system (sendmail turned off, amd64/17.1/systemd defaults)
> > 
> > app-admin/sudo-1.9.8_p1::gentoo [1.9.7_p2::gentoo] USE="nls pam secure-path
> > ssl -gcrypt -ldap -offensive -sasl (-selinux) -sendmail -skey -sssd"
> 
> I think I still need you to file a new bug for this in Gentoo and then
> ideally upstream.

This still applies, but 1.9.8_p2 may work.

Comment 12 Jan Psota 2021-09-21 19:12:06 UTC

_p2 works! :-D Now it is "RESOLVED FIXED" ;-)