Package: sudo Version: 1.8.11p1-1 Severity: normal After upgrade to 1.8.11p1-1 from 1.3.10p3, sudo silently fails to execute any commands if the kernel is compiled with !AUDIT. For example, as root:
# sudo echo foo # Nothing in the logs indicate anything wrong either, even if the debug level is set to diag; sudo just exits. There is code that tries to handle this in plugins/sudoers/linux_audit.c, but it fails miserably: ------------------------------------------------------------ if (au_fd == -1) { /* Kernel may not have audit support. */ if (errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT) { sudo_warn(U_("unable to open audit system")); au_fd = AUDIT_NOT_CONFIGURED; } } ------------------------------------------------------------ Obviously, it should require errno to be *either* EINVAL, EPROTONOTSUPPORT or EAFNOSUPPORT, not *all of them*. After applying the attached patch, sudo no longer fails, but warns: ------------------------------------------------------------ # sudo echo foo sudo: unable to open audit system: Protocol not supported foo ------------------------------------------------------------ Sami -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.17.0 (SMP w/8 CPU cores; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages sudo depends on: ii libaudit1 1:2.4-1 ii libc6 2.19-11 ii libpam-modules 1.1.8-3.1 ii libpam0g 1.1.8-3.1 ii libselinux1 2.3-2 ii zlib1g 1:1.2.8.dfsg-2 sudo recommends no packages. sudo suggests no packages. -- Configuration Files: /etc/sudoers [Errno 13] Permission denied: u'/etc/sudoers' /etc/sudoers.d/README [Errno 13] Permission denied: u'/etc/sudoers.d/README' -- no debconf information
Description: Make sudo work if kernel compiled with !AUDIT The code in linux_audit.c tries to handle the case where the kernel has been compiled without AUDIT support, but fails miserably. Author: Sami Liedes <sami.lie...@iki.fi> --- --- sudo-1.8.11p1.orig/plugins/sudoers/linux_audit.c +++ sudo-1.8.11p1/plugins/sudoers/linux_audit.c @@ -57,7 +57,7 @@ linux_audit_open(void) au_fd = audit_open(); if (au_fd == -1) { /* Kernel may not have audit support. */ - if (errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT) { + if (errno != EINVAL || errno != EPROTONOSUPPORT || errno != EAFNOSUPPORT) { sudo_warn(U_("unable to open audit system")); au_fd = AUDIT_NOT_CONFIGURED; }
signature.asc
Description: Digital signature