[Bug 1565567] Re: segv in sudo_getgrgid

Rafael David Tinoco rafael.tinoco at canonical.com
Wed May 4 04:14:17 UTC 2016 

(2)

Going back to backtrace we have:

mode_run -> policy_check -> sudoers_policy_main -
>create_admin_success_flag -> user_in_group (global sudo_user)

   /* Check whether the user is in the admin group. */
   if (!user_in_group(sudo_user.pw, "admin") &&
       !user_in_group(sudo_user.pw, "sudo"))
       debug_return_int(true);

and then user_in_group calls:

   if ((grlist = sudo_get_grlist(pw)) != NULL) {

        if "admin" == pw->pw_gid: matched = 1, goto done.

(gdb) print sudo_user->pw->pw_gid
$5 = 7241
Not the case.

       /*
        * Next check the supplementary group vector.
        * It usually includes the password db group too.
        */

       for (i = 0; i < grlist->ngroups; i++) {
           if (strcasecmp(group, grlist->groups[i]) == 0) {
               matched = true;
               goto done;
           }
       }

(gdb) frame 1
#1  0x00007fa01c0a7ab1 in user_in_group (pw=0x56174c050ca8, group=group at entry=0x7fa01c0b14c4 "admin")
    at /build/sudo-g3ghsu/sudo-1.8.16/plugins/sudoers/pwutil.c:842
842             if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) {
(gdb) print grlist->ngroups
$6 = 1
(gdb) print grlist->groups[0]
$7 = 0x56174c050d7f "sudo"

This should have gone to "done" because it is "sudo".
But we are checking for "admin":

(gdb) print group
$12 = 0x7fa01c0b14c4 "admin"

In both cases it should have finished and not continued. If it
continued, it would go to “PROBLEM" (comment #6)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1565567

Title:
  segv in sudo_getgrgid

Status in sudo package in Ubuntu:
  Confirmed

Bug description:
  If the user is in a group with no name (because libnss-db got removed
  and the group was defined there, for example...) then:

  the call to sudo_debug_printf in sudo_getgrgid
  (plugins/sudoers/pwutil.c, line 462) causes a SEGV when trying to get
  item->d.gr->gr_name (since item->d.gr is NULL).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1565567/+subscriptions

More information about the foundations-bugs mailing list