Following execution path I get: ====
(1) mode_run -> policy_check -> sudoers_policy_main -> sudoers_policy_init: - init_vars (fills global variable sudo_user) - sudo_user->pwd (from global struct passwd) will be used in "user_in_group" as "struct passwd" of executing user - it will check whether the executing user is in a certain group (pre-reqs for sudo execution) /* * Get a local copy of the user's struct passwd if we don't already * have one. */ if (sudo_user.pw == NULL) { if ((sudo_user.pw = sudo_getpwnam(user_name)) == NULL) { /* * It is not unusual for users to place "sudo -k" in a .logout * file which can cause sudo to be run during reboot after the * YP/NIS/NIS+/LDAP/etc daemon has died. */ if (sudo_mode == MODE_KILL || sudo_mode == MODE_INVALIDATE) { sudo_warnx(U_("unknown uid: %u"), (unsigned int) user_uid); debug_return_bool(false); } /* Need to make a fake struct passwd for the call to log_warningx(). */ sudo_user.pw = sudo_mkpwent(user_name, user_uid, user_gid, NULL, NULL); unknown_user = true; } } so sudo_user->pwd comes from sudo_mkpwent(user_name). At this time, impossible that sudo_mkpwent has cached values so we have: ... item = sudo_make_pwitem((uid_t)-1, name); if (item == NULL) { const size_t len = strlen(name) + 1; if (errno != ENOENT || (item = calloc(1, sizeof(*item) + len)) == NULL) { sudo_warnx(U_("unable to cache user %s, out of memory"), name); debug_return_ptr(NULL); } item->refcnt = 1; item->k.name = (char *) item + sizeof(*item); memcpy(item->k.name, name, len); /* item->d.pw = NULL; */ } strlcpy(item->registry, key.registry, sizeof(item->registry)); switch (rbinsert(pwcache_byname, item, NULL)) { ... Since sudo_make_pwitem relies on local authentication, and user is coming from ldap... item = NULL. With item being NULL, cache item item->d (union) will be filled of zeroes. With that, item->d>pw will be a NULL pointer. PROBLEM: In the future, when this cache item is recovered from redblack tree, any reference to item->d>pw will fail. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1565567 Title: segv in sudo_getgrgid Status in sudo package in Ubuntu: Confirmed Bug description: If the user is in a group with no name (because libnss-db got removed and the group was defined there, for example...) then: the call to sudo_debug_printf in sudo_getgrgid (plugins/sudoers/pwutil.c, line 462) causes a SEGV when trying to get item->d.gr->gr_name (since item->d.gr is NULL). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1565567/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp