'sudo' w/PAM option sometimes fails on i386 netbsd-9, -current

["John D. Baker" <jdbaker%consolidated.net@localhost>]

I wrote about this some time ago and the situation has only improved in the
sense that it seems not to happen as frequently as it used to, but the
problem remains.

I build "security/sudo" with the "pam" option and set the
"timestamp_timeout" in "/usr/pkg/etc/sudoers" fairly high so when running
'pkg_rolling-replace' to update packages, the real install phase only
needs authentication for packages that had a sufficiently long build
time.

Every once in a while, the "automatic" authentication during the
"timestamp_timeout" period fails with:

[...]
=> Becoming ``root'' to make su-replace (sudo)
sudo: unable to initialize PAM: Operation not permitted
*** Error code 1

Stop.
[...]

When I change to the package whose installation was interrupted and
manually run 'make replace', if the "timestamp_timeout" has not yet
lapsed, the replace will proceed.  Otherwise, I authenticate and the
replace proceeds.

I've only encountered this on i386 lately.  At some time in the past,
I saw it on sparc, but I don't update packages on sparc as often, and
I don't recall seeing it the last time I did.

I seem to recall encountering this problem when running something
directly at the command line:

  $ sudo foo_cmd -foo_opts... foo_args...

but that was a long time ago...

-- 
|/"\ John D. Baker, KN5UKS               NetBSD     Darwin/MacOS X
|\ / jdbaker[snail]consolidated[flyspeck]net  OpenBSD            FreeBSD
| X  No HTML/proprietary data in email.   BSD just sits there and works!
|/ \ GPGkeyID:  D703 4A7E 479F 63F8 D3F4  BD99 9572 8F23 E4AD 1645