PAM is configured to unconditionally allows the user to authenticate as itself even when the program that runs PAM is not doesn't have euid set to 0.
The user runs su $(whoami) when not root.
Su considers the user authenticated and attempts to setuid and fails.
On Linux PAM will ask the user to authenticate even when the user wants to run su to become itself. On FreeBSD PAM will allow su to be used without authentication when the target is the same as the calling user. I'm not sure how to configure Linux PAM to get the FreeBSD behavior in a test.
The problem is that this behaviour causes sudo to return after having forked, closing file descriptors that have already been closed, etc.
Any error between close_the_universe and exec would have this problem. The exact repro I mentioned is just one of the ways this can theoretically happen.
Potential steps to reproduce:
On Linux PAM will ask the user to authenticate even when the user wants to run su to become itself. On FreeBSD PAM will allow su to be used without authentication when the target is the same as the calling user. I'm not sure how to configure Linux PAM to get the FreeBSD behavior in a test.
The problem is that this behaviour causes
sudo
to return after having forked, closing file descriptors that have already been closed, etc.See the linked PR.