tech-pkg: Re: pkgsrc/security/sudo and Linux issues

Subject: Re: pkgsrc/security/sudo and Linux issues
To: Jeremy C. Reed <reed@reedmedia.net>
From: Kimmo Suominen <kim@tac.nyc.ny.us>
List: tech-pkg
Date: 02/02/2005 21:33:37
Hi Jeremy!

Please use send-pr(8) to report problems.  I won't be able to track
problem reports through my email inbox only, sorry.  (That's not to
say that problems shouldn't be discussed on tech-pkg.)

When it comes to other operating systems than NetBSD, I'll have to rely
on users like you to provide support.  All my systems run NetBSD.  (I
tried Interix once, but it didn't seem worth the trouble.)

Off the top of my head, I don't know how a good default PAM config
could be provided by the package.  Maybe a MESSAGE.PAM is needed to
alert the administrator to the issue?

If you want to commit the changes for issues 3 and 4, please go ahead.
Otherwise, I'd appreciate filing a PR as a reminder, and I'll take care
of it this weekend.

Regards,
+ Kim
-- 
Kimmo Suominen


On Wed, Feb 02, 2005 at 03:16:42PM -0800, Jeremy C. Reed wrote:
> I upgraded sudo on two of my Linux boxes (because audit-packages told
> me!).
> 
> I have a few issues with the package:
> 
> 1) sudo didn't work due to:
> 
> reed@puget:~$ sudo ls
> Sorry, try again.
> Sorry, try again.
> Sorry, try again.
> sudo: 3 incorrect password attempts
> 
> I had no chance to type in my password.
> 
> My auth.log has:
> 
> Feb  2 15:06:05 puget PAM-warn[1152]: function=[pam_sm_authenticate]
> service=[sudo] terminal=[ttyp0] user=[reed] ruser=[<unknown>]
> rhost=[<unknown>] Feb  2 15:06:05 puget last message repeated 2 times
> 
> 
> So I see I need a sudo rule for PAM.
> 
> My mk.conf has:
> USE_PAM=        YES
> PKG_DEFAULT_OPTIONS+=   PAM libcrack
> 
> So I added a /etc/pam.d/sudo and now sudo prompted me, but failed:
> 
> 
> reed@puget:~$ sudo ls
> Password:
> sudo: contact your system administrator, ÄÇEüAccount or password is expired
> Sorry, try again.
> Password:
> 
> 
> 2) Notice the strange character codes above.
> 
> And auth.log has:
> 
> Feb  2 15:12:12 puget sudo(pam_unix)[1173]: authentication failure;
> logname= uid=0 euid=0 tty=ttyp0 ruser= rhost=  user=reed
> 
> My previously working sudo was not linked with libpam. The new one is.
> 
> Any ideas on that?
> 
> I guess I should consult the sudo mailing list.
> 
> 3) The DESCR should probably not mention the mailing list paragraph. The
> share/doc/sudo/README can have that info.
> 
> 4) I noticed the man pages were missing. It is now using PLIST.${OPSYS}
> and no PLIST.Linux for listing the man-pages. (This problem existed with
> my old sudo-1.6.7.5 package also.)
> 
> Maybe instead of using PLIST.${OPSYS} (because we need to add all the
> PLIST.OPSYS we support) it could use some PLIST_SUBST as needed.
> 
> 
> This is sudo-1.6.8pl5nb1 and PAM-0.77nb4.
> 
>  Jeremy C. Reed
> 
>  	  	 	 BSD News, BSD tutorials, BSD links
> 	  	 	 http://www.bsdnewsletter.com/
>