Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
fa.freebsd.security
Message from discussion pam_ssh_agent_auth coredump on AMD64 (was Re: PAM modules)

View parsed - Show only message text

Received: by 10.68.62.35 with SMTP id v3mr3019897pbr.32.1316546110825;
        Tue, 20 Sep 2011 12:15:10 -0700 (PDT)
Path: lh7ni1300pbb.0!nntp.google.com!news1.google.com!volia.net!news2.volia.net!feed-A.news.volia.net!goblin1!goblin.stu.neva.ru!uio.no!nntp.uio.no!.POSTED!not-for-mail
From: Mike Tancsa <m...@sentex.net>
Newsgroups: fa.freebsd.security
Subject: pam_ssh_agent_auth coredump on AMD64 (was Re: PAM modules)
Date: Tue, 20 Sep 2011 19:15:09 UTC
Organization: Sentex Communications
Lines: 108
Sender: owner-freebsd-secur...@freebsd.org
Message-ID: <fa.evvhKieAS6Nxv8PZng8/3EN1bHA@ifi.uio.no>
References: <fa.CLKAq9aXOBqOhKZloVqA555PMjQ@ifi.uio.no> <fa.coVWpZS7mds/aoGzuYgjBMhkFwU@ifi.uio.no>
NNTP-Posting-Host: mail-jess.uio.no
Mime-Version: 1.0
X-Trace: readme.uio.no 1316546109 5805 129.240.7.9 (20 Sep 2011 19:15:09 GMT)
X-Complaints-To: abuse@uio.no
NNTP-Posting-Date: Tue, 20 Sep 2011 19:15:09 +0000 (UTC)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US;
	rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
Cc: freebsd-secur...@freebsd.org
To: Corey Smith <corsm...@gmail.com>
Delivered-To: freebsd-secur...@freebsd.org
In-Reply-To: <4E778357.1030206@sentex.net>
X-Enigmail-Version: 1.1.1
X-Scanned-By: MIMEDefang 2.71 on IPv6:2607:f3e0:0:1::12
X-BeenThere: freebsd-secur...@freebsd.org
X-Mailman-Version: 2.1.5
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-requ...@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-secur...@freebsd.org>
List-Help: <mailto:freebsd-security-requ...@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-requ...@freebsd.org?subject=subscribe>
Original-Date: Tue, 20 Sep 2011 15:13:32 -0400
Original-Message-Id: <4E78E5DC.6050600@sentex.net>
Original-References: <CAHQQXOObKpCU9syvv0tYfets9+sMKjYU0ONeQ23KGkOOnxJ...@mail.gmail.com>
	<4E778357.1030...@sentex.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit

On 9/19/2011 2:00 PM, Mike Tancsa wrote:
> On 9/16/2011 3:10 PM, Corey Smith wrote:
>> On 09/16/2011 11:05 AM, Dag-Erling Smørgrav wrote:
>>>  My question is: which ones?
>>
>> security/pam_ssh_agent_auth
>>
>> It is BSD licensed and handy for sudo.
> 
> 
> Neato, I didnt know of this module for sudo!  However, with the default
> install on AMD64, I am getting coredump.

Actually, I tried the same setup on i386 and it seems to work just fine.
 However, on an AMD64 machine, sudo just coredumps.  Anyone running this
setup on amd64 ?

Running with -D9, normally it looks something like

% sudo -D9 su
sudo: settings: debug_level=9
sudo: settings: progname=sudo
sudo: settings: network_addrs=....
sudo: sudo_mode 1
sudo: policy plugin returns 1
sudo: command info: umask=022
sudo: command info: command=/usr/bin/su
sudo: command info: runas_uid=0
sudo: command info: runas_gid=0
sudo: command info: runas_groups=0,5
sudo: command info: closefrom=3
sudo: command info: set_utmp=true
sudo: command info: login_class=default

where as on amd64,

% sudo -D9 su
sudo: settings: debug_level=9
sudo: settings: progname=sudo
sudo: settings: network_addrs=....
sudo: sudo_mode 1
Segmentation fault

It seems to die in the call to

static int
policy_check(struct plugin_container *plugin, int argc, char * const argv[],
    char *env_add[], char **command_info[], char **argv_out[],
    char **user_env_out[])
{
    return plugin->u.policy->check_policy(argc, argv, env_add, command_info,
        argv_out, user_env_out);
}


I cant get it to coredump since its setuid.  Before I start adding more
debug printfs, does anyone have any suggestions as to what it might be ?


	---Mike


> 
> I added
> 
> 
>  # auth
>  auth           include         system
> -
> +auth           sufficient      /usr/local/lib/pam_ssh_agent_auth.so
> file=/etc/sudokeys debug
>  # account
>  account                include         system
> 
> to /usr/local/etc/pam.d/sudo
> 
> and added
> 
> --- sudoers.sample      2011-09-19 13:24:56.000000000 -0400
> +++ sudoers     2011-09-19 13:29:17.000000000 -0400
> @@ -62,6 +62,10 @@
>  ## Uncomment to enable special input methods.  Care should be taken as
>  ## this may allow users to subvert the command being run via sudo.
>  # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE
> QT_IM_SWITCHER"
> +
> +Defaults env_keep += SSH_AUTH_SOCK
> +
> +
> 
> 
> I must be missing something obvious?
> 
> 	---Mike
> 
> 


-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/
_______________________________________________
freebsd-secur...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google