sudo-project / sudo

Utility to execute a command as another user

https://www.sudo.ws

Other

1.14k stars 209 forks source link

Incorrect sudo -V output #386

Closed blemouzy closed 1 day ago

blemouzy commented 1 week ago

Hello,

I working on an ARM based embedded system with Yocto.

I noticed a strange sudo -V output (floating values are not correctly displayed) since sudo update from 1.9.13p3 to 1.9.15p2.

# sudo -V | grep timeout
Authentication timestamp timeout: f minutes
Password prompt timeout: f minutes

I also tried the 1.9.15p5 version with same result.

millert commented 3 days ago

This happens when using sudo's snprintf() replacement since it does not support floating point. That should only be necessary on older systems without a C99-compatible snprintf() (or systems without asprintf()).

In your case, this is probably because sudo was built with a cross-compiler and that configure test was unable to run. These days, it is probably safe to assume that snprintf() is C99-compliant when cross-compiling. If you are building your own sudo, you can set ac_cv_have_working_snprintf=yes in the environment to avoid the issue.

blemouzy commented 2 days ago

This happens when using sudo's snprintf() replacement since it does not support floating point. That should only be necessary on older systems without a C99-compatible snprintf() (or systems without asprintf()).

What explains the regression between 1.9.13p3 and 1.9.15p2?

In your case, this is probably because sudo was built with a cross-compiler and that configure test was unable to run. These days, it is probably safe to assume that snprintf() is C99-compliant when cross-compiling. If you are building your own sudo, you can set ac_cv_have_working_snprintf=yes in the environment to avoid the issue.

I made the test:

add EXTRA_OECONF += "ac_cv_have_working_snprintf=yes" to the sudo_%.bbappend file

check config.log:


# Before
12157:ac_cv_have_working_snprintf=cross

After

12157:ac_cv_have_working_snprintf=yes

* check `sudo -V` output:
```bash
Authentication timestamp timeout: f minutes
Password prompt timeout: f minutes

⮕ same result

millert commented 2 days ago

Sorry, you also need to set ac_cv_have_working_vsnprintf=yes.

In sudo 1.9.13 vfprintf() was used to display those strings so the problem did not occur. The switch to using vsnprintf() in 1.9.14 is what triggered the issue. Sudo 1.9.16 will avoid the problem by treating ac_cv_have_working_snprintf=cross and ac_cv_have_working_vsnprintf=crossthe same as "yes".

blemouzy commented 1 day ago

Sorry, you also need to set ac_cv_have_working_vsnprintf=yes.

That effectively work now!

In sudo 1.9.13 vfprintf() was used to display those strings so the problem did not occur. The switch to using vsnprintf() in 1.9.14 is what triggered the issue.

Thanks for the explanation and thanks for support.

Sudo 1.9.16 will avoid the problem by treating ac_cv_have_working_snprintf=cross and ac_cv_have_working_vsnprintf=crossthe same as "yes".

Nice! Link to the associated commit: 920710b186ad11205b7f4969178555cd5fe23e20