Debian Bug report logs - #330868
sudo: doesn't drop privs on reboot

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: Debian BTS Submit <submit@bugs.debian.org>

Subject: sudo: init script changes time of directories, not stamp files

Date: Fri, 30 Sep 2005 10:00:17 +0200

[Message part 1 (text/plain, inline)]

Package: sudo
Version: 1.6.8p9-2
Tags: patch

Hi Bdale!

The init script currently touches /var/run/sudo/*, but this does not
touch the user's stamp files, only the per-user directories. I made
this a bit more robust:

  http://patches.ubuntu.com/patches/sudo.fixtimestampclean.diff

it uses find -type f now.

It is no big deal since normally bootclean.sh purges /var/run anyway,
so it only matters under very exceptional conditions. But still it
should either do the right thing or just remove /var/run/sudo
completely.

Thanks!

Martin
-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 330868@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: 330868@bugs.debian.org, Martin Pitt <mpitt@debian.org>

Cc: control@bugs.debian.org

Subject: Re: Bug#330868: sudo: init script changes time of directories, not stamp files

Date: Fri, 30 Sep 2005 07:57:16 -0600

tags 330868 +pending
thanks

On Fri, 2005-09-30 at 10:00 +0200, Martin Pitt wrote:
> I made this a bit more robust...

Yep.  Thanks!

Bdale

Message #17 received at 330868-close@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: 330868-close@bugs.debian.org

Subject: Bug#330868: fixed in sudo 1.6.8p9-4

Date: Sat, 10 Dec 2005 08:02:17 -0800

Source: sudo
Source-Version: 1.6.8p9-4

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo_1.6.8p9-4.diff.gz
  to pool/main/s/sudo/sudo_1.6.8p9-4.diff.gz
sudo_1.6.8p9-4.dsc
  to pool/main/s/sudo/sudo_1.6.8p9-4.dsc
sudo_1.6.8p9-4_i386.deb
  to pool/main/s/sudo/sudo_1.6.8p9-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 330868@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 10 Dec 2005 07:47:07 -0800
Source: sudo
Binary: sudo
Architecture: source i386
Version: 1.6.8p9-4
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 sudo       - Provide limited super user privileges to specific users
Closes: 283231 330868 332849
Changes: 
 sudo (1.6.8p9-4) unstable; urgency=low
 .
   * enable ldap support, deliver README.LDAP and sudoers2ldif, closes: #283231
   * merge patch from Martin Pitt / Ubuntu to be more robust about resetting
     timestamps in the init.d script, closes: #330868
   * add dependency header to init.d script, closes: #332849
Files: 
 d346c599b91df540922dbc125bba412c 577 admin optional sudo_1.6.8p9-4.dsc
 05e476fd2af62eb17b060b6d072f6efc 27829 admin optional sudo_1.6.8p9-4.diff.gz
 bd1144074b727ab56940e095c7bf95ef 171694 admin optional sudo_1.6.8p9-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDmvk+ZKfAp/LPAagRAiceAJ4qpatPtzi7SLcr+hBI8STegUGP1gCfetHU
kKpQWViiJrfWRjetW7fe3qI=
=SX4A
-----END PGP SIGNATURE-----

Message #22 received at 330868@bugs.debian.org (full text, mbox, reply):

From: Jö Fahlke <jorrit@jorrit.de>

To: Debian Bug Tracking System <330868@bugs.debian.org>

Subject: sudo: Sudo now fails to reset the timestamps on boot

Date: Tue, 14 Feb 2006 01:33:56 +0100

[Message part 1 (text/plain, inline)]

Package: sudo
Version: 1.6.8p12-1
Followup-For: Bug #330868

Hi!

Since my recent upgrade to etch sudo fails to reset timestamps on
boot.  strace shows that sudo actually stat's /var/run/sudo/<USER>,
which is a directory, but the initscript now only resets the
timestamps of plain files.  Here is the excerpt from strace for user
"joe":

======================================================================
setreuid32(-1, 0)                       = 0
setuid32(0)                             = 0
open("/etc/group", O_RDONLY)            = 4
fcntl64(4, F_GETFD)                     = 0
fcntl64(4, F_SETFD, FD_CLOEXEC)         = 0
_llseek(4, 0, [0], SEEK_CUR)            = 0
fstat64(4, {st_mode=S_IFREG|0644, st_size=1194, ...}) = 0
mmap2(NULL, 1194, PROT_READ, MAP_SHARED, 4, 0) = 0xb7f78000
_llseek(4, 1194, [1194], SEEK_SET)      = 0
munmap(0xb7f78000, 1194)                = 0
close(4)                                = 0
lstat64("/var/run/sudo", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
lstat64("/var/run/sudo/joe", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
time(NULL)                              = 1139875642
utimes("/var/run/sudo/joe", NULL)       = 0
time([1139875642])                      = 1139875642
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=837, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=837, ...}) = 0
stat64("/etc/localtime", {st_mode=S_IFREG|0644, st_size=837, ...}) = 0
socket(PF_FILE, SOCK_DGRAM, 0)          = 4
fcntl64(4, F_SETFD, FD_CLOEXEC)         = 0
connect(4, {sa_family=AF_FILE, path="/dev/log"}, 16) = 0
send(4, "<85>Feb 14 01:07:22 sudo:      j"..., 94, MSG_NOSIGNAL) = 94
close(4)                                = 0
======================================================================

Thanks for your good work,
Jö.

-- System Information:
Debian Release: testing/unstable
  APT prefers proposed-updates
  APT policy: (500, 'proposed-updates'), (500, 'testing'), (500, 'stable'), (1, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-486
Locale: LANG=de_DE.UTF-8@euro, LC_CTYPE=de_DE.UTF-8@euro (charmap=UTF-8)

Versions of packages sudo depends on:
ii  libc6                         2.3.5-13   GNU C Library: Shared libraries an
ii  libpam-modules                0.79-3     Pluggable Authentication Modules f
ii  libpam0g                      0.79-3     Pluggable Authentication Modules l

sudo recommends no packages.

-- no debconf information

-- 
<Ku]aku> seen _Armus_
-:- SignOff Ku]aku: #macht (changing servers)
<Volk> I don't know who _Armus_ is.

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 330868@bugs.debian.org (full text, mbox, reply):

From: David Härdeman <david@hardeman.nu>

To: 330868@bugs.debian.org

Cc: jorrit@jorrit.de, mpitt@debian.org

Subject: sudo: Sudo now fails to reset the timestamps on boot

Date: Wed, 11 Apr 2007 00:11:09 +0200

I see the same problem (on Etch). Basically, /var/run/sudo seems to 
contain nothing else but directories, which are skipped by the "-type f" 
argument to find.

The easiest way to fix it seemed to be to remove "-type f" so that the 
timestamp of everything under /var/run/sudo is changed.

Note that this means that sudo in Etch currently does not drop sudo 
priviledges on reboot...perhaps something which should be fixed in 
proposed-updates since it poses a mild security issue?

-- 
David Härdeman

Message #32 received at 330868@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: David Härdeman <david@hardeman.nu>, 330868@bugs.debian.org

Subject: Re: Bug#330868: sudo: Sudo now fails to reset the timestamps on boot

Date: Fri, 13 Apr 2007 09:01:04 -0600

On Wed, 2007-04-11 at 00:11 +0200, David Härdeman wrote:

> The easiest way to fix it seemed to be to remove "-type f" so that the 
> timestamp of everything under /var/run/sudo is changed.

Yep, I think so too.  I don't recall why I thought the -f made sense at
the time I accepted the patch from Martin Pitt.  Fixed in my CVS for the
next upload.

> Note that this means that sudo in Etch currently does not drop sudo 
> priviledges on reboot...perhaps something which should be fixed in 
> proposed-updates since it poses a mild security issue?

Possibly.

Bdale

Message #49 received at 330868-done@bugs.debian.org (full text, mbox, reply):

From: bdale@gag.com (Bdale Garbee)

To: 330868-done@bugs.debian.org

Subject: no longer relevant

Date: Fri, 22 Feb 2008 10:17:02 -0800 (PST)

With the resolution to bug #397090, there is no longer an init.d provided with
the sudo package since /var/run is now aggressively cleaned by the initscripts
package.  Thus, this bug should no longer exist.  Closing with no further
action taken.

Bdale

Message #56 received at 330868-close@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: 330868-close@bugs.debian.org

Subject: Bug#330868: fixed in sudo 1.6.9p15-1

Date: Thu, 03 Apr 2008 21:17:53 +0000

Source: sudo
Source-Version: 1.6.9p15-1

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo-ldap_1.6.9p15-1_i386.deb
  to pool/main/s/sudo/sudo-ldap_1.6.9p15-1_i386.deb
sudo_1.6.9p15-1.diff.gz
  to pool/main/s/sudo/sudo_1.6.9p15-1.diff.gz
sudo_1.6.9p15-1.dsc
  to pool/main/s/sudo/sudo_1.6.9p15-1.dsc
sudo_1.6.9p15-1_i386.deb
  to pool/main/s/sudo/sudo_1.6.9p15-1_i386.deb
sudo_1.6.9p15.orig.tar.gz
  to pool/main/s/sudo/sudo_1.6.9p15.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 330868@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 03 Apr 2008 14:25:56 -0600
Source: sudo
Binary: sudo sudo-ldap
Architecture: source i386
Version: 1.6.9p15-1
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 330868 467126 473337
Changes: 
 sudo (1.6.9p15-1) unstable; urgency=low
 .
   * new upstream version, closes: #467126, #473337
   * remove pointless postrm scripts, leaving debhelper do its thing if needed,
     thanks to Justin Pryzby for pointing this out
   * reinstate the init.d, since bootclean doesn't quite do what we want.  This
     also means we don't need the preinst scripts any more.  Update the lintian
     overrides since postinst is a Perl script lintian apparently isn't parsing
     well.  closes: #330868
Files: 
 b7b4d7e28219123fb2e7a22d7e8d5d91 617 admin optional sudo_1.6.9p15-1.dsc
 06cfeed4ececfce6c82e03974c588066 593065 admin optional sudo_1.6.9p15.orig.tar.gz
 874e3a99ab6ea38c3d7ce24a80f3d62a 21643 admin optional sudo_1.6.9p15-1.diff.gz
 5a9da1b357488616b60801a4e285fc20 174684 admin optional sudo_1.6.9p15-1_i386.deb
 0e9b885219c7ede6d133bc38fb9eee1a 183666 admin optional sudo-ldap_1.6.9p15-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH9UNPZKfAp/LPAagRAnASAJ9C8Gra9fA8w63FH1vvXKBZZUrz7wCdF3OC
S5d1iixhUQQtExNWyKgr5OU=
=Ig9c
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.