FreeBSD Sudo Upgrade Gone Wrong, Password No longer working with Sudo 1.7.2p2 / 1.7.2p3, Sudo Broken

Posted by Benjamin Close on April 14, 2010 under FreeBSD | Be the First to Comment

Recently a port audit security advisor was released that indicated an exploit with sudoedit of the security/sudo FreeBSD port. At the time I was running sudo 1.6.9 and being a responsible system administrator, I decided to upgrade sudo to the latest revision of the port (1.7.2p2 at the time). The upgrade went very smoothly, with portupgrade doing it’s job quickly and reliably. It wasn’t until I tried to use sudo for the first time after the upgrade that the problems started.

Initially I tried get a root shell using:

sudo -s

sadly after repeated password prompts I had no luck. Initially I thought I was just getting my password wrong – something I occasionally do with the amount of passwords I have to remember. However, after repeated attempts I came to the conclusion that something else was wrong.

I looked at the logs to see if they would show anything useful:



Apr 14 11:49:28 leo sudo:   benjsc : 1 incorrect password attempt ; TTY=pts/3 ; PWD=/owners/benjsc/home ; USER=root ; COMMAND=/bin/tcsh
Apr 14 11:51:09 leo sudo:   benjsc : 1 incorrect password attempt ; TTY=pts/4 ; PWD=/owners/benjsc/home ; USER=root ; COMMAND=/bin/tcsh
Apr 14 11:58:03 leo sudo:   benjsc : 1 incorrect password attempt ; TTY=pts/4 ; PWD=/owners/benjsc/home ; USER=root ; COMMAND=/bin/tcsh
Apr 14 11:58:16 leo sudo:   benjsc : 1 incorrect password attempt ; TTY=pts/4 ; PWD=/owners/benjsc/home ; USER=root ; COMMAND=/bin/tcsh

Once again nothing obvious showed up. At this point I started Googling to try and find the answer. There was a lot of articles about people trying the root password rather than the user password, but I wasn’t doing that. There was articles about people stuffing up the syntax of the sudoers file (you should use visudo to edit this). However, nothing had changed but the version of sudo. Eventually I found a post that solved the issue.

It turns out that the latest versions of sudo break pam support. Whilst the article refers to OPIE (One Time Keys), I’ve since confirmed that this issue affects machines without OPIE setup. Hence for anyone who tries to upgrade sudo to a later version and has problems with their password not being accepted, and the password prompt just continuing to reappear. Then you’ll need to patch sudo to work.

How, copy and paste the following on the console:

cd  /usr/ports/security/sudo
make extract
cd work/sudo*
patch << END
--- auth/pam.c.orig     2010-02-04 10:43:28.635212518 -0600
+++ auth/pam.c  2010-02-04 10:43:34.194558424 -0600
@@ -107,13 +107,6 @@
     }

     /*
-     * Set PAM_RUSER to the invoking user (the "from" user).
-     * We set PAM_RHOST to avoid a bug in Solaris 7 and below.
-     */
-    (void) pam_set_item(pamh, PAM_RUSER, user_name);
-    (void) pam_set_item(pamh, PAM_RHOST, user_host);
-
-    /*
      * Some versions of pam_lastlog have a bug that
      * will cause a crash if PAM_TTY is not set so if
      * there is no tty, set PAM_TTY to the empty string.

END
cd ../..
make build
make deinstall
make install


Donations keep this site alive

Add A Comment

*