| arraybolt3 | Eickmeyer: So, is it a matter of fixing sudo itself, or does kdesu pass flags to sudo that are messing it up? | 02:31 |
|---|---|---|
| arraybolt3 | Eickmeyer: In Lubuntu (which I believe uses lxqt-sudo?), it works (if I'm remembering correctly, I tested it just last night). | 02:32 |
| Eickmeyer | It's a matter of fixing sudo itself. A certain upload broke it, so there might need to be a bisect, but neither him nor I have had a chance to do it. | 02:32 |
| arraybolt3 | Eickmeyer: Bisect. OK. I've looked a bit a git, so I might be able to learn that, and I just got unmetered Internet hooked up today, so there's no more bandwitch issues. | 02:33 |
| Eickmeyer | If we can identify which commit broke it, we can file an upstream bug report and get some attention on it. | 02:33 |
| arraybolt3 | s/bandwitch/bandwidth | 02:33 |
| Eickmeyer | Oh, sweet! That's more than I have! | 02:33 |
| arraybolt3 | Eickmeyer: Sounds good. What repo should I be digging through? Is there a git link? | 02:33 |
| Eickmeyer | I'm limited to 1.2TB/month #BlameComcast | 02:33 |
| arraybolt3 | Eickmeyer: Look into Calyx Institute. If you're in a T-Mobile cell tower area, they give you unlimited data (people have hit 1.3 TB and were still going strong) for $50 per month, payed three months at a time (or you get two months free if you buy a year at once) | 02:34 |
| Eickmeyer | I honestly don't know where Debian gets its sudo, I haven't had time to investigate. Getting ready for a major launch (I am on the Kubuntu Focus team, https://kfocus.org if your're interested). | 02:34 |
| arraybolt3 | Eickmeyer: Though they are cellular, so it probably won't be as fast as what you're using now. | 02:35 |
| arraybolt3 | Eickmeyer: I guess if it's in debian, I just have to find the Debian source code (which shouldn't be too much of a problem thanks to GPL) | 02:35 |
| Eickmeyer | Yeah, I live in the next town over from T-Mobile's HQ, but had a bad experience with the network. | 02:35 |
| Eickmeyer | Yeah, that shouldn't be hard to find. | 02:35 |
| arraybolt3 | Eickmeyer: <Sigh.> Oh well. It might work as a backup for when you hit your 1.2 TB? | 02:36 |
| arraybolt3 | Eickmeyer: I've only had them for a day so far, but I'm hammering the data hard so that I can make sure it works as advertised. | 02:36 |
| Eickmeyer | Maybe, but man, a carrier pigeon was faster. | 02:36 |
| Eickmeyer | I also am surrounded by power lines and proximity to two regional substations. | 02:37 |
| arraybolt3 | EIckmeyer: Whoa, Kubuntu Focus looks SO COOL. | 02:37 |
| Eickmeyer | I have the first generation of that machine, and for a 9th gen i7, it screams. | 02:38 |
| arraybolt3 | Eickmeyer: I live out in the middle of nowhere where the only options I have are cellular, dialup, and satellite. I'm not paying for satellexpensive, I'm not using dial-stall, and so cellular is what I've got. I'm used to kinda slow. | 02:39 |
| Eickmeyer | Yeah, I hear ya. Your best bet is cellular. In my area, cellular is crowded. | 02:39 |
| arraybolt3 | Eickmeyer: Good grief, those Kubuntu Focus things are expensive. | 02:41 |
| arraybolt3 | Eickmeyer: OK, so, bisect sudo. Sounds like a pretty good project! | 02:41 |
| Eickmeyer | Yeah, but worth it, especially if you're a data scientist. | 02:41 |
| Eickmeyer | arraybolt3: Awesome, would love to see where you get with it. | 02:41 |
| arraybolt3 | Eickmeyer: Yeah, sounds like. I toyed with the idea of a KDE Slimbook III not too long ago, but they're just too pricey. I'm perfectly fine with my HP Z220 SFF Workstation and Elitebook over here. Old, yeah, but they work for what I need. (But should I need jaw-dropping amounts of power, I think I know where I'm getting it now.) | 02:42 |
| Eickmeyer | arraybolt3: Well worth it, I had one before I joined the team. | 02:43 |
| Eickmeyer | arraybolt3: BTW, I have a HP Z220 CMT that I use as a server. | 02:46 |
| arraybolt3 | Eickmeyer: Oh nice! I've just about maxed out my SFF (got a GTX 1050 TI and a second 16 GB of RAM on the way ATM) so that Ubuntu Studio will work for what I'm doing. (Yes, I'm using Ubuntu Studio as my daily driver, thank you so much!) | 02:47 |
| Eickmeyer | arraybolt3: My pleasure, nice to see it out in the wild! | 02:47 |
| arraybolt3 | Eickmeyer: Ubuntu Studio is my go-to for powerful systems, and Lubuntu for the lower-end ones and for VMs. | 02:47 |
| arraybolt3 | I'm actually on Ubuntu Studio 21.10 (though I'm gonna upgrade to 22.04 once the new hardware gets here) | 02:47 |
| arraybolt3 | And I just finished installing 22.04 on an HP Pavilion dv7-3000. | 02:48 |
| arraybolt3 | My first experience with Linux was KXStudio 14.04, and man, I was hooked. I was somewhat sad that KXStudio didn't provide ISOs anymore... and then I found this. Wow, it's awesome. | 02:48 |
| Eickmeyer | And, it's Ubuntu through-and-through. | 02:49 |
| arraybolt3 | Kudos for sticking LMMS in this new release - I was sad when 21.10 didn't have it and I had to go grab an appimage. I see the new one's got it \o/ | 02:49 |
| Eickmeyer | We were able to up our ISO image size with this because I got the release team to start using ISO level 3 on all images, which will actually future-proof all of Ubuntu for probably several decades. | 02:51 |
| arraybolt3 | Eickmeyer: Nice. Hey, do you know off the top of your head if the KDE version of Debian Bullseye live has software-properties-qt in it or not? | 02:52 |
| Eickmeyer | That's how LMMS came back. | 02:52 |
| arraybolt3 | (If there even is a KDE version... probably should find out first) | 02:52 |
| Eickmeyer | I don't know. | 02:52 |
| Eickmeyer | I don't think there is, I think all of their live images use GNOME, but I could be wrong. | 02:52 |
| arraybolt3 | Nope, I used an LXDE image just the other day. Got it on my external HDD right now. | 02:52 |
| Eickmeyer | Interesting. I guess the only way to know is to download and find out! ¯\_(ツ)_/¯ | 02:53 |
| arraybolt3 | Yep, they've got a KDE image. I'm almost done pulling Xubuntu Kinetic, so I'll be able to pull Debian KDE live next. | 02:54 |
| arraybolt3 | Here's where I found it if you're interested: https://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/ | 02:54 |
| Eickmeyer | That reminds me, I need to start zsyncing Kinetic. | 02:55 |
| arraybolt3 | Eickmeyer: I'm noticing that, for some reason, the nVidia proprietary drivers for the GeForce 230m aren't in the Ubuntu repositories anymore - I'm going to have to get them from the Graphics Drivers PPA. This affected Lubuntu and Ubuntu Studio so far. Any clue as to why? | 02:57 |
| arraybolt3 | And also, is the PPA more recommended, or should I use the download from nVidia's site? | 02:57 |
| Eickmeyer | Hmmmm... my experience is with the 1000 series and above, so I'm not so certain. If there's a PPA, go for it, you might find the installation experience easier. Nvidia's site tends to be convoluted sometiems. | 02:59 |
| Eickmeyer | PPAs are easier because you get the keys and repo all in one command. | 02:59 |
| arraybolt3 | Eickmeyer: That's what I figured. Installing pretty much anything on Linux without a package manager is a good way to go boom if you're not careful. | 03:00 |
| Eickmeyer | Indeed. | 03:01 |
| arraybolt3 | At least I don't have to fight with Secure Boot since I'm on a BIOS system :-S | 03:02 |
| arraybolt3 | Ah, great, they're not on 22.04 yet... OK, I'm getting off topic, sorry. | 03:03 |
| Eickmeyer | It's all good. I need to get going anyhow. | 03:03 |
| arraybolt3 | Eickmeyer: For if you're interested in finding the Debian source code in the future, looks like it's at salsa.debian.org. Appears to be a GitLab instance. | 03:31 |
| arraybolt3 | Eickmeyer: Maybe I'm doing this wrong, but I installed Ubuntu Studio 22.04 in a VM, updated it, then cloned the sudo repo from Debian, downloaded the dependencies, and build and installed sudo from source. The newly compiled version wasn't taking, so I deleted /usr/bin/sudo and then symbolic linked /usr/local/bin/sudo to /usr/bin/sudo. | 06:03 |
| arraybolt3 | Eickmeyer: So here's the problematic part. In Ubuntu Studio 21.10, everything works, and it uses sudo 1.9.5p2. So I build sudo 1.9.5p2 in 22.04, and installed it... and the bug is still there. | 06:04 |
| arraybolt3 | Eickmeyer: My bad, I thought it worked in 21.10, I was wrong. Ignore me - I was getting into this screen some other way and must've forgot. | 06:04 |
| RikMills | arraybolt3: it was one of the changes in this revision that seems to have triggered the issue | 06:29 |
| RikMills | https://github.com/PackageKit/PackageKit/issues/450 | 06:29 |
| ubottu | Issue 450 in PackageKit/PackageKit "Kernel updates marked manual" [Closed] | 06:29 |
| RikMills | umm. not that. bad copy/paste | 06:29 |
| RikMills | this: https://tracker.debian.org/news/1237774/accepted-sudo-196-1exp2-source-into-experimental/ | 06:30 |
| arraybolt3 | RikMills: Well, here's the thing - I compiled almost the same version of sudo that was in Focal, and installed it from source into Jammy... and the bug is still there. | 06:31 |
| arraybolt3 | RikMills: And I made very sure that the version of sudo that was running was the one I had just compiled. | 06:31 |
| RikMills | arraybolt3: https://people.ubuntu.com/~rikmills/sudo/ | 06:32 |
| RikMills | sudo_1.9.6-1~exp1_amd64.deb is fine | 06:33 |
| RikMills | sudo_1.9.6-1~exp2_amd64.deb is broken with kdesu | 06:33 |
| arraybolt3 | RikMills: So this leads me to believe maybe sudo's interacting with something weird? I've also discovered that my Ubuntu Studio 21.10 box is exhibiting the same symptoms, even though it isn't supposed to have the problem. | 06:33 |
| arraybolt3 | RikMills: I'll try your package. | 06:33 |
| RikMills | this is for 22.04 | 06:33 |
| arraybolt3 | Agh, and right now is when I wish I had made a VM snapshot before butchering my package manager with make install... | 06:34 |
| RikMills | this is why I made debs :P | 06:34 |
| RikMills | at least for this part | 06:34 |
| arraybolt3 | RikMills: While you're right here, I installed the "bad" version of Sudo into Debian 11 Bullseye with KDE, and installed muon, and did the software sources thing, and it worked just fine. | 06:34 |
| RikMills | arraybolt3: but did you change the extra config files that debian adds in it's packaging, on top of the plain sudo from source? | 06:35 |
| RikMills | just compiling the sudo src would not do that | 06:36 |
| arraybolt3 | RikMills: No, didn't know that was a thing! I just cloned the repo, installed the dependencies, then ./configure, make, and make install. | 06:36 |
| RikMills | the change I think broke things is in the extra configs debian ship on top | 06:37 |
| arraybolt3 | RikMills: Can you give me a general idea of how to do that? Is it just, "copy this list of files before make", or what? | 06:37 |
| arraybolt3 | I could look this stuff up, but you already know and you're right here :-p | 06:37 |
| RikMills | not right now. perhaps later today, as I have to start my day very soon | 06:38 |
| arraybolt3 | RikMills: That's fine. I'll figure it out. | 06:38 |
| RikMills | ok, as it would take a while to do | 06:39 |
| arraybolt3 | RikMills: I just installed the "~exp1" package and the bug is still there. | 06:40 |
| arraybolt3 | In Ubuntu Studio 22.04 | 06:40 |
| arraybolt3 | Maybe it's just the package manager fighting with my messed-up system. I'll do further testing to see what's happening. Hopefully, if I can just get "this works, this doesn't", I can git bisect and be done. | 06:42 |
| RikMills | I will have to look later. I could quite easily toggle the breakage on and off with those packages the other day | 06:51 |
| RikMills | at least on Kubuntu 22.04 for me upgrading from the ~exp1 -> ~exp2 DOES cause the breakage. just confirmed on my 22.04 | 07:04 |
| RikMills | downgrading to the exp1 makes it work again | 07:05 |
| RikMills | right, have to run! | 07:06 |
| arraybolt3 | RikMills: OK. I'm over here fighting with Debian 11 (maybe not such a good idea), and can't even install ~exp1, so... But, I'm figuring it out! | 07:06 |
| RikMills | https://i.imgur.com/4UtxIEH.png | 07:07 |
| RikMills | exp1 on my people.ubuntu.com was compiled against Ubuntu repos, so may not be compatible with debian | 07:08 |
| arraybolt3 | RikMills: Yeah, figured as much. I'm getting ready to spin up Kubuntu 22.04 now, so I can do the testing in the right environment. | 07:09 |
| arraybolt3 | RikMills: Hey, in the sudo source from Debian's website, there's both "upstream" and "debian" branches. Will compiling a "debian" branch give me the extra config files you're talking about? 'Cause I've ben using the "upstream" ones. | 07:29 |
| RikMills | Eickmeyer: I **think** it is this commit: https://salsa.debian.org/sudo-team/sudo/-/commit/59db341d46aa4c26b54c1270e69f2562e7f3d751 | 08:21 |
| ubottu | Commit 59db341 in sudo-team/sudo "add use_pty to default configuration, fixing CVE-2005-4890" | 08:21 |
| arraybolt3 | I think I'm on the verge of finally doing the git bisect, in which case we'll hopefully find out for sure. | 08:23 |
| RikMills | simply commenting out 'Defaultsuse_pty' in /etc/sudoers makes the bug go away, even in the latest sudo in jammy | 08:25 |
| RikMills | now as adding that was a fix for a CVE, we have a problem | 08:25 |
| arraybolt3 | How are you installing your ~exp1 package? I just did it on Kubuntu 22.04, fully updated, and no dice. | 08:25 |
| RikMills | see my screenshot from a while back | 08:26 |
| RikMills | sudo apt install | 08:26 |
| arraybolt3 | Not working for me, I'll have a screenshot in a bit... | 08:28 |
| arraybolt3 | https://imgur.com/a/2dqJ6mp | 08:30 |
| arraybolt3 | This is on a fresh install + full updates and all of the development packages for building sudo (though I didn't actually build or install sudo at this point). | 08:31 |
| arraybolt3 | Running in virt-manager (QEMU/KVM). | 08:32 |
| RikMills | https://i.imgur.com/neO9Yy2.png | 08:34 |
| RikMills | clean VM ^ | 08:35 |
| RikMills | nothing changed apart from that line in sudoers | 08:35 |
| RikMills | ok, now we know what change broke things, need to find away to fix it. hopefully not requiring reverting that CVE change | 08:36 |
| arraybolt3 | So I guess it must have been those development packages. But **this** time, I made a snapshot in time! | 08:36 |
| * RikMills shrugs | 08:37 | |
| RikMills | it is consistent in my VM, that is all I can say | 08:37 |
| * arraybolt3 grumbles at still-disobedient VM | 08:38 | |
| arraybolt3 | Still isn't doing it for me. | 08:38 |
| arraybolt3 | What hypervisor are you using? | 08:39 |
| RikMills | I'll try on a real machine | 08:39 |
| arraybolt3 | FINALLY! Using the ~exp2 package and commenting out that line did it. But the ~exp1 never did work. | 08:40 |
| RikMills | maybe your sudoers config file was not getting updated for some reason | 08:41 |
| RikMills | confirmed on laptop as well | 08:41 |
| arraybolt3 | And now the ~exp1 works after all that. | 08:42 |
| arraybolt3 | What's odd was, I could see the sudoers file change after each installation. But for some reason, I had to install ~exp2, comment the line, install ~exp1, tell it to use the package maintainer's sudoers file, and then ~exp1 worked. | 08:43 |
| arraybolt3 | Whatever. It's definitely that line. | 08:43 |
| arraybolt3 | Nice going finding it! | 08:43 |
| RikMills | just a process of elimination. and I noticed most of the changes in the debian version where it broke were config file changes, which made it easier to test reversions | 08:46 |
| RikMills | and a hunch which to test 1st ;) | 08:47 |
| arraybolt3 | So now the question is why that option is causing problems. | 08:48 |
| RikMills | and what has to change to fix it. sudo or kdesu. hmmmmm.............. | 08:52 |
| arraybolt3 | Well, by manually doing kdesu from a terminal with use_pty enabled, I got this interesting error in the terminal: | 08:53 |
| arraybolt3 | https://pastebin.com/fqzuBu2h | 08:53 |
| arraybolt3 | (It's short, I was going to paste it right into IRC, but Konversation gave me a scary warning when I went to do that...) | 08:54 |
| IrcsomeBot | <RikMills> that warning has been there for many years, even when things worked | 08:56 |
| arraybolt3 | No, the bit about "unknown request: stop". | 08:56 |
| arraybolt3 | That part doesn't appear when I comment out use_pty. | 08:57 |
| arraybolt3 | (I did paste a bit too much, but I wanted to err on the side of too much data rather than not enough.) | 08:57 |
| RikMills | ah | 08:57 |
| arraybolt3 | I *think* I found the code in kdesu that's gone glitchy. I don't know C++, but I know C#, and I can kinda get the gist of what I'm looking at. | 09:03 |
| arraybolt3 | I added an annotation in the code as a comment near the end: https://pastebin.com/rRU8vd7s | 09:05 |
| arraybolt3 | I horked that out of stubprocess.cpp in kdesu from version 5.24.0 on GitHub. | 09:06 |
| arraybolt3 | (That's the version that seemed closest to the version present in Kubuntu 22.04.) | 09:06 |
| arraybolt3 | Oddly, looking at the code, it doesn't appear that kdesu_stub is ever supposed to tell kdesu "stop", even in the latest master branch. I wonder if that's something that sudo is outputting that's somehow getting kicked through kdesu_stub and into kdesu? | 09:13 |
| arraybolt3 | Well, I can't figure it out. I wish I could capture the communication between kdesu and kdesu_stub. It looks like kdesu launches kdesu_stub using sudo, and then gives it data about what to launch. I'm wondering if that's where things are breaking, since the new sudo messes with terminal stuff with use_pty. | 09:42 |
| arraybolt3 | RikMills: Do you know how to capture the stdio communication between two programs? I tried using a Bash script, a couple of fifos, and a log file, but I couldn't figure out how to intercept the communication both ways, allow the data through both ways, and capture it all. I just make kdesu freeze up trying to do this... | 09:44 |
| RikMills | not without some reading | 09:44 |
| arraybolt3 | Like, there's something I need to read, or there's a read command that needs to be used? (I tried using "read" to get the output from kdesu to feed it into kdesu_stub.) | 09:47 |
| RikMills | means I would not know where to start without my own research, so I can't offer any more insight than you can gain by doing the same | 09:48 |
| arraybolt3 | oh ok | 09:48 |
| RikMills | on this anyway | 09:48 |
| arraybolt3 | I can probably do it with C# and Mono, but my brain is way too fried to do that at this point, so I think I'll have to pick up tomorrow. Thank you for bringing me into this! This was really fun! | 09:49 |
| arraybolt3 | I should say, I was able to get software-properties-kde to launch by doing "sudo kdesu_stub" while in the directory with kdesu, and then manually typing various parameters. I just gave "no" or a blank value for anything I didn't understand, and it worked. | 09:50 |
| arraybolt3 | And this was with use_pty enabled, I believe. | 09:50 |
| BluesKaj | Hi all | 11:28 |
| Eickmeyer | RikMills, arraybolt3: I feel like since there was a CVE involved, we might think about getting the security team involved to evaluate what needs to be done. Either something needs to be fixed in kdesu to work around the CVE fix or something needs to be done more correctly in sudo. | 15:39 |
| RikMills | Eickmeyer: well, I think I might be able to fix for driver-manager. Muon/discover, maybe not | 15:40 |
| RikMills | i.e. get pkexec working for driver-manager | 15:43 |
| Eickmeyer | RikMills: Yeah, that doesn't quite fix the fundamental problem though. | 15:52 |
| RikMills | I know | 15:54 |
| Eickmeyer | RikMills: We could, in theory, surgically remove that line in our respective postinst lines using sed, but that gets sketchy at best and I hate doing that. | 15:59 |
| Eickmeyer | And I'd hate to do it without the security team's blessing. | 15:59 |
| RikMills | yes, already mentally went through that idea | 16:00 |
| Eickmeyer | Hours ahead of me as usual. Time zones don't just apply to where the sun is. :) | 16:00 |
| Eickmeyer | I posted in #ubuntu-security | 16:01 |
| === tuxifreund_ is now known as tuxifreund | ||
| arraybolt3 | Eickmeyer: That makes sense. If I'm understanding correctly, though, kdesu is doing the very thing that could exploit the CVE, so I think kdesu needs to change. (I could be wrong, but that's what it looks like to me so far. Maybe I just don't understand PTYs.) | 21:34 |
| Eickmeyer | arraybolt3: I personally don't quite understand it, but if it is exploiting the CVE (and has for decades), then it's definitely in the wrong and this needs to be brought-up in the upstream bug report that RikMills and I have been commenting on. | 21:35 |
| arraybolt3 | Eickmeyer: I currently don't have time to do it, but you might try inserting a custom executable in between kdesu and kdesu_stub and capture the communication between the two. Something is telling kdesu "stop", a command it doesn't understand during its conversation with kdesu_stub. The paste here is the error I get on the console running "./kdesu software-properties-kde" in the correct directory: https://pastebin.com/rRU8vd7s | 21:36 |
| arraybolt3 | And kdesu_stub doesn't appear to be designed to ever say "stop" in the code (though maybe I'm not understanding the code, since I don't know C++). | 21:37 |
| arraybolt3 | These are the files I was looking at: https://github.com/KDE/kdesu/blob/master/src/stubprocess.cpp https://github.com/KDE/kdesu/blob/master/src/kdesu_stub.c | 21:38 |
| Eickmeyer | I don't know C++ myself. I'm decent at bash, can stumble my way through javascript, and trip through python, but C(++) is beyond me. | 21:38 |
| valorie | this conversation should perhaps take place in #kde-devel ? | 21:39 |
| valorie | or at least on the list until you are told to move it to the security ML | 21:39 |
| Eickmeyer | valorie: We're trying to solve a kubuntu and ubuntu studio specific issue. | 21:39 |
| valorie | ah, OK | 21:39 |
| Eickmeyer | We have involved security only to get their perspective. | 21:40 |
| arraybolt3 | I should see if I can install the latest sudo into Debian 11 and then put use_pty in the sudoers file to see if it is specific to these distros or not. | 21:40 |
| Eickmeyer | And because sudo is involved. | 21:40 |
| Eickmeyer | arraybolt3: Worth a shot. | 21:40 |
| arraybolt3 | Hey, I still have my Debian 11 VM from last night! Sweet, this should be an easy test. | 21:41 |
| arraybolt3 | Alright, everyone, the bug is **not (K)Ubuntu(Studio) specific.** I just reproduced it in the latest Debian by installing sudo from source and adding the use_pty line into /etc/sudoers. | 21:54 |
| arraybolt3 | Eickmeyer: I guess that means it is a KDE issue after all? | 21:55 |
| arraybolt3 | I'll see if it's Debian-derivative-specific at all by try Fedora next. | 21:57 |
| valorie | @ahoneybun could test on whatever he's got available.... | 21:59 |
| arraybolt3 | My internet is not exactly the fastest on the planet, so the download might take a bit, but I'm pulling Fedora now. | 21:59 |
| Eickmeyer | We at least know it's Debian-specific. | 22:01 |
| Eickmeyer | Gotta go get my son from school now. | 22:01 |
| arraybolt3 | Even if this is Debian-specific, if kdesu really is accidentally using a CVE to function, it should be changed, even if the problem doesn't affect other distros. Eventually they will (or at least ought to) patch the vulnerability, and then things will break there, too. | 22:07 |
| valorie | that was sort of my point re: bringing in the KDE devels | 23:40 |
| valorie | gotta be fixed upstream one way or the other | 23:40 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!
