[sudo-users] pam_ssh_agent_auth segfault

Mike Tancsa mike at sentex.net
Wed Sep 21 10:36:56 EDT 2011 

On 9/21/2011 10:12 AM, Todd C. Miller wrote:
> Well, that's both good and bad news.  The change from RTLD_LOCAL
> to RTLD_GLOBAL was needed for pam modules that require symbols from
> libpam.
> 
> In this case it looks like there is a namespace clash with the
> "verbose" symbol in the sudoers parser and a function called verbose
> in pam_ssh_agent_auth.so and ld.so chooses the wrong one.  I had
> hoped that libtool's export file would prevent this kind of problem
> but apparently it doesn't (at least on FreeBSD).  There will be a
> workaround in the next release candidate of sudo 1.8.3.

Ahhh, that seems to be the case indeed. In the plugin, I did the
following on FreeBSD


0|dsl-b8|# cd /usr/ports/security/pam_ssh_agent_auth/
0|dsl-b8|# make extract
===>  Vulnerability check disabled, database not found
===>  License check disabled, port has not defined LICENSE
===>  Extracting for pam_ssh_agent_auth-0.9.3
=> SHA256 Checksum OK for pam_ssh_agent_auth-0.9.3.tar.bz2.
===>   pam_ssh_agent_auth-0.9.3 depends on file:
/usr/local/bin/perl5.12.4 - found
0|dsl-b8|# cd work/pam_ssh_agent_auth-0.9.3/
0|dsl-b8|# perl -p -i -e "s/verbose\(/pam_ssh_auth_verbose\(/g" *.c
0|dsl-b8|# perl -p -i -e "s/verbose\(/pam_ssh_auth_verbose\(/g" *.h
0|dsl-b8|# cd ../..
0|dsl-b8|# make install

0|dsl-b8|% sudo -D9 id
sudo: settings: debug_level=9
sudo: settings: progname=sudo
sudo: settings: network_addrs=...
sudo: sudo_mode 1
sudo: policy plugin returns 1
sudo: command info: umask=022
sudo: command info: command=/usr/bin/id
sudo: command info: runas_uid=0
sudo: command info: runas_gid=0
sudo: command info: runas_groups=0,5
sudo: command info: closefrom=3
sudo: command info: set_utmp=true
sudo: command info: login_class=default
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
sudo: received signal 20
sudo: calling policy close with wait status
0|dsl-b8|%

and the logs show

Sep 21 10:34:02 dsl-b8 sudo[60843]: pam_ssh_agent_auth: matching key
found: file /etc/sudokeys, line 2

and adding in debug still works as well

auth           sufficient      /usr/local/lib/pam_ssh_agent_auth.so
file=/etc/sudokeys debug

	---Mike


-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

More information about the sudo-users mailing list