Public bug reported: After upgrading from 14.04 LTS to 16.04 LTS, we noticed that LDAP-based sudo roles stopped working, meaning users that were able to use sudo in the past, are rejected now.
After investigation, it turned out to be a known upstream bug: https://bugzilla.sudo.ws/show_bug.cgi?id=757 which was introduced somewhere between 14.04 and 16.04 timelines. To cut the long story short, the code is trying to match FQDN host name (eg. "thehost.domain.com") against host name pattern provided in LDAP (eg. "sudoHost: thehost") using strcmpi, which will - obviously - fail. The fix is a single line change patch which found its way into sudo version 1.8.18: https://www.sudo.ws/repos/sudo/rev/605c03afc80f Unfortunately both 16.04 and 16.10 seem to only use 1.8.16 (17.04 seemed to have jumped to 1.8.19) so will need to carry the patch mentioned above. Tested it locally and the re-built package with the patch added works file. My debian/patches/series looks like this now: .../sudo-1.8.16$ cat debian/patches/series typo-in-classic-insults.diff paths-in-samples.diff keep_home_by_default.patch also_check_sudo_group.diff ldap-hostname.diff .../sudo-1.8.16$ cat debian/patches/ldap-hostname.diff # HG changeset patch # User Todd C. Miller <todd.mil...@courtesan.com> # Date 1473459982 21600 # Node ID 605c03afc80f4c3f55bfae62fcf4974f18cd77e8 # Parent 017866310d2486566cbde9f93486e788d0c046a8 Fix typo that broke short host name matching when the fqdn flag is enabled. Bug #757 diff -r 017866310d24 -r 605c03afc80f plugins/sudoers/sudoers.c --- a/plugins/sudoers/sudoers.c Thu Sep 08 16:38:08 2016 -0600 +++ b/plugins/sudoers/sudoers.c Fri Sep 09 16:26:22 2016 -0600 @@ -1069,7 +1069,7 @@ /* Not remote, just use user_host. */ if ((lhost = strdup(user_host)) != NULL) { if (user_shost != user_host) - shost = strdup(lhost); + shost = strdup(user_shost); else shost = lhost; } ** Affects: sudo (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1665322 Title: LDAP-based sudo roles stopped working in 16.04 Status in sudo package in Ubuntu: New Bug description: After upgrading from 14.04 LTS to 16.04 LTS, we noticed that LDAP- based sudo roles stopped working, meaning users that were able to use sudo in the past, are rejected now. After investigation, it turned out to be a known upstream bug: https://bugzilla.sudo.ws/show_bug.cgi?id=757 which was introduced somewhere between 14.04 and 16.04 timelines. To cut the long story short, the code is trying to match FQDN host name (eg. "thehost.domain.com") against host name pattern provided in LDAP (eg. "sudoHost: thehost") using strcmpi, which will - obviously - fail. The fix is a single line change patch which found its way into sudo version 1.8.18: https://www.sudo.ws/repos/sudo/rev/605c03afc80f Unfortunately both 16.04 and 16.10 seem to only use 1.8.16 (17.04 seemed to have jumped to 1.8.19) so will need to carry the patch mentioned above. Tested it locally and the re-built package with the patch added works file. My debian/patches/series looks like this now: .../sudo-1.8.16$ cat debian/patches/series typo-in-classic-insults.diff paths-in-samples.diff keep_home_by_default.patch also_check_sudo_group.diff ldap-hostname.diff .../sudo-1.8.16$ cat debian/patches/ldap-hostname.diff # HG changeset patch # User Todd C. Miller <todd.mil...@courtesan.com> # Date 1473459982 21600 # Node ID 605c03afc80f4c3f55bfae62fcf4974f18cd77e8 # Parent 017866310d2486566cbde9f93486e788d0c046a8 Fix typo that broke short host name matching when the fqdn flag is enabled. Bug #757 diff -r 017866310d24 -r 605c03afc80f plugins/sudoers/sudoers.c --- a/plugins/sudoers/sudoers.c Thu Sep 08 16:38:08 2016 -0600 +++ b/plugins/sudoers/sudoers.c Fri Sep 09 16:26:22 2016 -0600 @@ -1069,7 +1069,7 @@ /* Not remote, just use user_host. */ if ((lhost = strdup(user_host)) != NULL) { if (user_shost != user_host) - shost = strdup(lhost); + shost = strdup(user_shost); else shost = lhost; } To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1665322/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
