Bug#764818: sudo: Silently fails to execute any commands if kernel compiled with !AUDIT

[Sami Liedes]

Package: sudo
Version: 1.8.11p1-1
Severity: normal

After upgrade to 1.8.11p1-1 from 1.3.10p3, sudo silently fails to
execute any commands if the kernel is compiled with !AUDIT. For
example, as root:

# sudo echo foo
# 

Nothing in the logs indicate anything wrong either, even if the debug
level is set to diag; sudo just exits.

There is code that tries to handle this in
plugins/sudoers/linux_audit.c, but it fails miserably:

------------------------------------------------------------
if (au_fd == -1) {
    /* Kernel may not have audit support. */
    if (errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT) {
        sudo_warn(U_("unable to open audit system"));
        au_fd = AUDIT_NOT_CONFIGURED;
    }
}
------------------------------------------------------------

Obviously, it should require errno to be *either* EINVAL,
EPROTONOTSUPPORT or EAFNOSUPPORT, not *all of them*.

After applying the attached patch, sudo no longer fails, but warns:

------------------------------------------------------------
# sudo echo foo
sudo: unable to open audit system: Protocol not supported
foo
------------------------------------------------------------

        Sami


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.17.0 (SMP w/8 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=fi_FI.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages sudo depends on:
ii  libaudit1       1:2.4-1
ii  libc6           2.19-11
ii  libpam-modules  1.1.8-3.1
ii  libpam0g        1.1.8-3.1
ii  libselinux1     2.3-2
ii  zlib1g          1:1.2.8.dfsg-2

sudo recommends no packages.

sudo suggests no packages.

-- Configuration Files:
/etc/sudoers [Errno 13] Permission denied: u'/etc/sudoers'
/etc/sudoers.d/README [Errno 13] Permission denied: u'/etc/sudoers.d/README'

-- no debconf information

Description: Make sudo work if kernel compiled with !AUDIT
  The code in linux_audit.c tries to handle the case where the kernel
  has been compiled without AUDIT support, but fails miserably.
Author: Sami Liedes <sami.lie...@iki.fi>

---

--- sudo-1.8.11p1.orig/plugins/sudoers/linux_audit.c
+++ sudo-1.8.11p1/plugins/sudoers/linux_audit.c
@@ -57,7 +57,7 @@ linux_audit_open(void)
     au_fd = audit_open();
     if (au_fd == -1) {
 	/* Kernel may not have audit support. */
-	if (errno != EINVAL && errno != EPROTONOSUPPORT && errno != EAFNOSUPPORT) {
+	if (errno != EINVAL || errno != EPROTONOSUPPORT || errno != EAFNOSUPPORT) {
 	    sudo_warn(U_("unable to open audit system"));
 	    au_fd = AUDIT_NOT_CONFIGURED;
 	}

signature.asc
Description: Digital signature