Re: recent strange sudo behavior, probably due to /dev/pts

[Greg Troxel <gdt%lexort.com@localhost>]

Greg Troxel <gdt%lexort.com@localhost> writes:

> After a lot of investigating including writing a quick read/printf
> program to examine the sudo timestamp files, the problem appears to be
> that the timestamp records are "TS_PPID" rather than "TS_TTY".  The
> parent is something deep in make, and thus different every time.  So
> this is not really a pkgsrc issue.

Followup for the archives.

There are two problems that combine for hard-to-debug bad behavior.

1) devname(3)

devname(3) converts a device major/minor to a pathname.  sudo uses this.
However, it uses /var/run/dev.cdb, which is created by dev_mkdb(8) which
runs at boot.

So if you boot your system with /dev/ttyp*, mount ptyfs, rm /dev/ttyp*,
and log out and back in, you will still get e.g. /dev/ttyp5 from
devname.  (I saw this in the sudo logs.)


2) sudo bugs

sudo's default is 'tty'.  It gets the major/minor.  But it doesn't just
store that in the timestamp file.  It calls devname, and if it can't
stat the result, *silently*, even with respeect to debugging statements,
switches to ppid mode.  If it can stat, it stores the dev_t in the file.

See plugins/sudoers/timestamp.c, line 415, where it checks that stat
succeeds on the path.

The bad bug is that failure to stat a path that should be valid should
be fatal, not a silent flip to ppid.  The lesser bug is that if the
thing that matters is the dev_t, it should just use that.



Once realizing, re-running dev_mkdb caused devname to return /dev/pts/5
instead, and things work as I would expect.