Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

pam_ssh_agent_auth coredump on AMD64 (was Re: PAM modules)

2 views
Skip to first unread message

Mike Tancsa

unread,
Sep 20, 2011, 3:13:32 PM9/20/11
to
On 9/19/2011 2:00 PM, Mike Tancsa wrote:
> On 9/16/2011 3:10 PM, Corey Smith wrote:
>> On 09/16/2011 11:05 AM, Dag-Erling Smørgrav wrote:
>>> My question is: which ones?
>>
>> security/pam_ssh_agent_auth
>>
>> It is BSD licensed and handy for sudo.
>
>
> Neato, I didnt know of this module for sudo! However, with the default
> install on AMD64, I am getting coredump.

Actually, I tried the same setup on i386 and it seems to work just fine.
However, on an AMD64 machine, sudo just coredumps. Anyone running this
setup on amd64 ?

Running with -D9, normally it looks something like

% sudo -D9 su
sudo: settings: debug_level=9
sudo: settings: progname=sudo
sudo: settings: network_addrs=....
sudo: sudo_mode 1
sudo: policy plugin returns 1
sudo: command info: umask=022
sudo: command info: command=/usr/bin/su
sudo: command info: runas_uid=0
sudo: command info: runas_gid=0
sudo: command info: runas_groups=0,5
sudo: command info: closefrom=3
sudo: command info: set_utmp=true
sudo: command info: login_class=default

where as on amd64,

% sudo -D9 su
sudo: settings: debug_level=9
sudo: settings: progname=sudo
sudo: settings: network_addrs=....
sudo: sudo_mode 1
Segmentation fault

It seems to die in the call to

static int
policy_check(struct plugin_container *plugin, int argc, char * const argv[],
char *env_add[], char **command_info[], char **argv_out[],
char **user_env_out[])
{
return plugin->u.policy->check_policy(argc, argv, env_add, command_info,
argv_out, user_env_out);
}


I cant get it to coredump since its setuid. Before I start adding more
debug printfs, does anyone have any suggestions as to what it might be ?


---Mike


>
> I added
>
>
> # auth
> auth include system
> -
> +auth sufficient /usr/local/lib/pam_ssh_agent_auth.so
> file=/etc/sudokeys debug
> # account
> account include system
>
> to /usr/local/etc/pam.d/sudo
>
> and added
>
> --- sudoers.sample 2011-09-19 13:24:56.000000000 -0400
> +++ sudoers 2011-09-19 13:29:17.000000000 -0400
> @@ -62,6 +62,10 @@
> ## Uncomment to enable special input methods. Care should be taken as
> ## this may allow users to subvert the command being run via sudo.
> # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE
> QT_IM_SWITCHER"
> +
> +Defaults env_keep += SSH_AUTH_SOCK
> +
> +
>
>
> I must be missing something obvious?
>
> ---Mike
>
>


--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mi...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
_______________________________________________
freebsd-...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-securi...@freebsd.org"

Gary Palmer

unread,
Sep 20, 2011, 3:21:00 PM9/20/11
to
On Tue, Sep 20, 2011 at 03:13:32PM -0400, Mike Tancsa wrote:
> On 9/19/2011 2:00 PM, Mike Tancsa wrote:
> > On 9/16/2011 3:10 PM, Corey Smith wrote:
If you do

sysctl kern.sugid_coredump=1

can you get a coredump?

Gary

Mike Tancsa

unread,
Sep 20, 2011, 4:08:17 PM9/20/11
to
On 9/20/2011 3:21 PM, Gary Palmer wrote:
>
> If you do
>
> sysctl kern.sugid_coredump=1
>
> can you get a coredump?


Tried that too.

% sysctl -a | grep core
kern.corefile: %N.core
kern.nodump_coredump: 0
kern.coredump: 1
kern.sugid_coredump: 1
debug.elf64_legacy_coredump: 1
debug.elf32_legacy_coredump: 1

Actually, my mistake on i386. It seems the plugin works with

sudo-1.8.1_5

but not 1.8.2

Seems to die in the function policy_check in sudo.c


return plugin->u.policy->check_policy(argc, argv, env_add, command_info,
argv_out, user_env_out);
}




---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mi...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/

Corey Smith

unread,
Sep 20, 2011, 5:39:56 PM9/20/11
to
On Tue, Sep 20, 2011 at 4:08 PM, Mike Tancsa <mi...@sentex.net> wrote:
> Seems to die in the function policy_check in sudo.c

I am able to reproduce it as well on 8.2-RELEASE amd64,
pam_ssh_agent_auth-0.9.3 and sudo-1.8.2.

I wonder if this change from dragonfly would work in FreeBSD:

http://gitweb.dragonflybsd.org/dragonfly.git/commitdiff/5c627295bf5ad6364bd3914b62c1075f370443d6

-Corey Smith

Mike Tancsa

unread,
Sep 21, 2011, 9:16:02 AM9/21/11
to
On 9/20/2011 5:39 PM, Corey Smith wrote:
> On Tue, Sep 20, 2011 at 4:08 PM, Mike Tancsa <mi...@sentex.net> wrote:
>> Seems to die in the function policy_check in sudo.c
>
> I am able to reproduce it as well on 8.2-RELEASE amd64,
> pam_ssh_agent_auth-0.9.3 and sudo-1.8.2.
>

I posted the question on the sudo list and there seems to be a work
around posted there!

http://www.sudo.ws/pipermail/sudo-users/2011-September/004831.html

---Mike


--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mi...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
0 new messages