FS#47052 - [pam] [sudo] policy plugin failed session initialization

Attached to Project: Arch Linux
Opened by Justin Dray (justin8) - Thursday, 12 November 2015, 21:14 GMT
Last edited by Evangelos Foutras (foutrelis) - Monday, 16 November 2015, 22:43 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Tobias Powalowski (tpowa)
Evangelos Foutras (foutrelis)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
The sudo package inside of docker containers has the below error when using 1.8.15:
sudo: policy plugin failed session initialization

Downgrading to 1.8.14 makes it work as before.

Additional info:
* package version(s) 1.8.15
* config and/or log files etc.


Steps to reproduce:
docker run --rm --entrypoint=/bin/bash justin8/makepkg
> su build-user -
> sudo -Ps
sudo: policy plugin failed session initialization

I am using 1.8.15 on my laptop and it is not causing issues there. The sudoers file contains the following 2 lines:
root ALL=(ALL) ALL
build-user ALL=(ALL) NOPASSWD: ALL

and the user created with the below:
useradd -d /build build-user
This task depends upon

Closed by  Evangelos Foutras (foutrelis)
Monday, 16 November 2015, 22:43 GMT
Reason for closing:  Fixed
Additional comments about closing:  pam 1.2.1-3
Comment by Justin Dray (justin8) - Thursday, 12 November 2015, 21:28 GMT
I updated my image to use the old sudo; but running `pacman -Sy sudo` will cause the breakage to return.
Comment by Doug Newgard (Scimmia) - Friday, 13 November 2015, 03:26 GMT
The fact that you'd even think to run pacman -Sy sudo tells me that this is almost certainly a partial update problem.
Comment by Justin Dray (justin8) - Friday, 13 November 2015, 05:00 GMT
Please read the rest of the bug. pacman -Syu was run maybe... 3 hours ago. and then pacman -U sudo-1.8.14* right after to fix the issue. Feel free to replace pacman -Sy sudo with pacman -Syu and see the same bug.
Comment by n0rad (n0rad) - Friday, 13 November 2015, 12:13 GMT
Same here
Comment by binhex (binhex) - Friday, 13 November 2015, 13:00 GMT
add me to the list of people with this issue, output from docker build shown here (line 567 is the critical error):-

http://pastebin.com/fXG9aeN9

link to issue posted on arch forum here:-

https://bbs.archlinux.org/viewtopic.php?id=204993

rolling back to sudo-1.8.14.p3-2 fixes the issue
Comment by Evangelos Foutras (foutrelis) - Friday, 13 November 2015, 13:12 GMT
The relevant change sudo 1.8.15 is: "Sudo now refuses to run a command if the PAM session module returns an error."

The issue is that pam_limits.so fails to apply the rules found in /etc/security/limits.conf due to insufficient privileges (the "* - nice 0" line in particular).

@tpowa: I'd be very much in favor of dropping all the additions we make to limits.conf; if you think that's too much, we should at least drop the rules that apply to all users (and only keep the @audio ones).
Comment by Evangelos Foutras (foutrelis) - Saturday, 14 November 2015, 14:25 GMT
I noticed that the JACK packages include the required pam_limits.so configuration themselves, so I've pushed pam 1.2.1-3 to [testing] with an unmodified limits.conf. [1]

sudo 1.8.15 should once again work in Docker containers. (pam 1.2.1-3 will stay in [testing] for a few days till it gets the required signoffs.)

[1] https://lists.archlinux.org/pipermail/arch-commits/2015-November/299983.html

Loading...