[sudo-users] pam_ssh_agent_auth segfault
Mike Tancsa
mike at sentex.net
Wed Sep 21 10:36:56 EDT 2011
On 9/21/2011 10:12 AM, Todd C. Miller wrote:
> Well, that's both good and bad news. The change from RTLD_LOCAL
> to RTLD_GLOBAL was needed for pam modules that require symbols from
> libpam.
>
> In this case it looks like there is a namespace clash with the
> "verbose" symbol in the sudoers parser and a function called verbose
> in pam_ssh_agent_auth.so and ld.so chooses the wrong one. I had
> hoped that libtool's export file would prevent this kind of problem
> but apparently it doesn't (at least on FreeBSD). There will be a
> workaround in the next release candidate of sudo 1.8.3.
Ahhh, that seems to be the case indeed. In the plugin, I did the
following on FreeBSD
0|dsl-b8|# cd /usr/ports/security/pam_ssh_agent_auth/
0|dsl-b8|# make extract
===> Vulnerability check disabled, database not found
===> License check disabled, port has not defined LICENSE
===> Extracting for pam_ssh_agent_auth-0.9.3
=> SHA256 Checksum OK for pam_ssh_agent_auth-0.9.3.tar.bz2.
===> pam_ssh_agent_auth-0.9.3 depends on file:
/usr/local/bin/perl5.12.4 - found
0|dsl-b8|# cd work/pam_ssh_agent_auth-0.9.3/
0|dsl-b8|# perl -p -i -e "s/verbose\(/pam_ssh_auth_verbose\(/g" *.c
0|dsl-b8|# perl -p -i -e "s/verbose\(/pam_ssh_auth_verbose\(/g" *.h
0|dsl-b8|# cd ../..
0|dsl-b8|# make install
0|dsl-b8|% sudo -D9 id
sudo: settings: debug_level=9
sudo: settings: progname=sudo
sudo: settings: network_addrs=...
sudo: sudo_mode 1
sudo: policy plugin returns 1
sudo: command info: umask=022
sudo: command info: command=/usr/bin/id
sudo: command info: runas_uid=0
sudo: command info: runas_gid=0
sudo: command info: runas_groups=0,5
sudo: command info: closefrom=3
sudo: command info: set_utmp=true
sudo: command info: login_class=default
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
sudo: received signal 20
sudo: calling policy close with wait status
0|dsl-b8|%
and the logs show
Sep 21 10:34:02 dsl-b8 sudo[60843]: pam_ssh_agent_auth: matching key
found: file /etc/sudokeys, line 2
and adding in debug still works as well
auth sufficient /usr/local/lib/pam_ssh_agent_auth.so
file=/etc/sudokeys debug
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the sudo-users
mailing list