Bug#1003969: sudo: 1.9.8p2-1 audit plugin breaks if hostname doesn't resolve

Sven Mueller

unread,

Jan 18, 2022, 1:00:06 PM1/18/22

to

Package: sudo
Version: 1.9.8p2-1
Severity: important

This is a regression compared to 1.9.5. Reproduction:
As root, run:

sudo -u nobody bash

Expect:

# sudo -u nobody
nobody@foobarxyz:/root$

Does:

# sudo -u nobody bash
sudo: unable to resolve host foobarxyz: Name or service not known
sudo: error initializing audit plugin sudoers_audit

This is with /etc/sudoers containing

root ALL=(ALL) ALL

So no lookups should be required.

Note: "host non-resolving-hostname" must actually not return a result. If the hostname is not resolvable locally but resolvable via DNS, this issue does not occur.

Same setup with sudo 1.9.5p2-3 leads to:

root@larsa:~# sudo -u nobody bash
sudo: unable to resolve host foobarxyz: Name or service not known

nobody@foobarxyz:/root$

I tried figuring out which change exactly caused this, but I'm actually lost in the source code.

But from a search on bugzilla.sudo.ws, this seems to essentially be https://bugzilla.sudo.ws/show_bug.cgi?id=1016#c3

However:

root@larsa:~# hostname foobarxyz
root@larsa:~# sudo -u nobody bash
sudo: unable to resolve host foobarxyz: Name or service not known
sudo: error initializing audit plugin sudoers_audit
root@larsa:~# grep fqdn /etc/sudoers
Defaults !fqdn
root@larsa:~#

root@larsa:~# hostname larsa
root@larsa:~# sudo -u nobody bash
nobody@larsa:/root$
exit

So like Himanshu on that bug, I'm unable to disable the fqdn option, it seems or it doesn't have the influence Todd C. Miller thinks it has. I suspect that the default change via sudoers is only read after the audit.

And indeed, compiling 1.9.8p2-1 without --with-fqdn option would fix the regression, but I think the real fix is somewhere in the code. It is _wrong_ for the audit plugin to run into this error.

-

Sven Mueller

unread,

Jan 19, 2022, 7:40:03 AM1/19/22

to

Tags 1003969 + fixed-upstream patch confirmed

Thanks

https://www.sudo.ws/repos/sudo/rev/8c6eaa503793 has the upstream patch.

Sven Mueller

unread,

Jan 19, 2022, 11:00:05 AM1/19/22

to

I can confirm that the linked upstream patch fixes the issue (sudo
works with non-resolvable hostname).

With the patch and `Defaults !fqdn`, no error or warning is shown/logged

With the patch and `Defaults fqdn` (or without a Defaults line
referring to fqdn, i.e. with a default sudoers file), a warning is
shown when sudo is used, but it remain usable.

Cheers,
Sven

Am Mi., 19. Jan. 2022 um 13:29 Uhr schrieb Sven Mueller
<sven.mu...@gmail.com>:

Marc Haber

unread,

Jan 22, 2022, 10:20:04 AM1/22/22

to

tags 1003969 confirmed pending - patch
thanks

On Wed, Jan 19, 2022 at 01:29:19PM +0100, Sven Mueller wrote:
> Tags 1003969 + fixed-upstream patch confirmed

Only the package maintainer should set the "confirmed" tag. Please
refrain from doing this in the future. See
https://www.debian.org/Bugs/Developer

> https://www.sudo.ws/repos/sudo/rev/8c6eaa503793 has the upstream patch.

Thanks for spotting this. I have written an autopkgtest that fails
without this patch and succeeds with this patch, and have pushed both
the test and the fix. Will be in the next package.

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421

Sven Mueller

unread,

Jan 31, 2022, 1:10:08 PM1/31/22

to

Hi Marc.

Any chance of an upload of a new sudo package any time soon, so that
the fix to this bug is available?

I would love to upgrade from 1.9.5 to >=1.9.8 because of some of the
fixes, but currently can't due to the issue in this bug.
I saw that you updated the repo on alioth to 1.9.9, which means the
patch I mentioned before has been integrated.

Cheers,
Sven

Am Sa., 22. Jan. 2022 um 16:13 Uhr schrieb Marc Haber
<mh+debian...@zugschlus.de>: