Your message dated Tue, 05 Feb 2008 04:32:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#452457: fixed in sudo 1.6.9p11-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: sudo
Version: 1.6.9p6-1
Severity: normal
sudo 1.6.9p6-1 introduces a change in which pam_open_session and
pam_close_session are now called before and after command execution.
Previously, in the 1.6.8 branch of sudo, these calls were not made, and
therefore there were no references to PAM session modules in
/etc/pam.d/sudo. The new calls result in the session entries being
read from /etc/pam.d/other (the default PAM stack file); in Debian, this
defaults to reading /etc/pam.d/common-session, etc. However, if a user
has hardened his/her Debian installation according to Javier
Fernandez-Sanguino Pena's _Securing Debian Manual_ version 3.1.2),
instead, the following session entries from /etc/pam.d/default are used
and sudo becomes unusable:
session required pam_unix_session.so
session required pam_warn.so
session required pam_deny.so
The solution is to specify a sensible default for the session stack to
avoid falling through to /etc/pam.d/default. I would suggest either:
session required pam_permit.so (which duplicates the behvaior of sudo
1.6.8 in which no session calls were made)
[or]
@include common-session (which will probably result in tolerable
behavior, but still be a bit irritating in terms of spurious pam_unix
session open/close calls in auth.log and triggering of things in
common-session such as PAG creation with pam_afs_session.so in our case)
This also might be a good occasion to insert a fix for #402329 by adding
in an entry for pam_limits.so as well:
session required pam_limits.so
Regards,
Elizabeth Fong
Lead sysadmin, UGCS
[EMAIL PROTECTED]
http://www.ugcs.caltech.edu
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.22 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages sudo depends on:
ii libc6 2.6.1-1+b1 GNU C Library: Shared libraries
ii libpam-modules 0.99.7.1-5 Pluggable Authentication Modules f
ii libpam0g 0.99.7.1-5 Pluggable Authentication Modules l
sudo recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: sudo
Source-Version: 1.6.9p11-2
We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:
sudo-ldap_1.6.9p11-2_i386.deb
to pool/main/s/sudo/sudo-ldap_1.6.9p11-2_i386.deb
sudo_1.6.9p11-2.diff.gz
to pool/main/s/sudo/sudo_1.6.9p11-2.diff.gz
sudo_1.6.9p11-2.dsc
to pool/main/s/sudo/sudo_1.6.9p11-2.dsc
sudo_1.6.9p11-2_i386.deb
to pool/main/s/sudo/sudo_1.6.9p11-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bdale Garbee <[EMAIL PROTECTED]> (supplier of updated sudo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 04 Feb 2008 21:26:23 -0700
Source: sudo
Binary: sudo sudo-ldap
Architecture: source i386
Version: 1.6.9p11-2
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <[EMAIL PROTECTED]>
Changed-By: Bdale Garbee <[EMAIL PROTECTED]>
Description:
sudo - Provide limited super user privileges to specific users
sudo-ldap - Provide limited super user privileges to specific users
Closes: 402329 452457 459681
Changes:
sudo (1.6.9p11-2) unstable; urgency=low
.
* update version compared in preinst when removing obsolete init.d,
closes: #459681
* implement pam session config suggestions from Elizabeth Fong,
closes: #452457, #402329
Files:
2d4392740be210a02beeda635602c3c0 617 admin optional sudo_1.6.9p11-2.dsc
a6ec498c1683128a5c1c662b075e9bf0 22953 admin optional sudo_1.6.9p11-2.diff.gz
ed32727b75bd55df7741c7fb67433525 172172 admin optional sudo_1.6.9p11-2_i386.deb
7e5f0fa38258f5fe9e8dd3ae3e115351 183256 admin optional
sudo-ldap_1.6.9p11-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHp+YIZKfAp/LPAagRAvYoAJ9VroeUp1EPtenGp2NwhwZUZeqc4QCeM/4X
oyIDChcwtAYQpiP1xW1lqQU=
=Gscz
-----END PGP SIGNATURE-----
--- End Message ---
