Don't pass an invalid session or process group ID to the plugin.

Fixes a regression in 1.8.28 when there is no terminal session leader.

NEWS

@@ -21,6 +21,10 @@ What's new in Sudo 1.8.29
    problems caused by insufficient resources, such as an inability to
    allocate memory or open files and pipes.
 
+ * Fixed a regression introduced in sudo 1.8.28 where sudo would refuse
+   to run if the parent process was not associated with a session.
+   This was due to sudo passing a session ID of -1 to the plugin.
+
 What's new in Sudo 1.8.28p1
 
  * The fix for Bug #869 caused "sudo -v" to prompt for a password

plugins/sudoers/policy.c

@@ -104,7 +104,6 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
     char * const *cur;
     const char *p, *errstr, *groups = NULL;
     const char *remhost = NULL;
-    bool uid_set = false, gid_set = false;
     int flags = 0;
     debug_decl(sudoers_policy_deserialize_info, SUDOERS_DEBUG_PLUGIN)
 
@@ -333,6 +332,9 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
 #endif
     }
 
+    user_gid = (gid_t)-1;
+    user_sid = (pid_t)-1;
+    user_uid = (gid_t)-1;
     user_umask = (mode_t)-1;
     for (cur = info->user_info; *cur != NULL; cur++) {
 	if (MATCHES(*cur, "user=")) {
@@ -348,7 +350,6 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
 		sudo_warnx(U_("%s: %s"), *cur, U_(errstr));
 		goto bad;
 	    }
-	    uid_set = true;
 	    continue;
 	}
 	if (MATCHES(*cur, "gid=")) {
@@ -358,7 +359,6 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
 		sudo_warnx(U_("%s: %s"), *cur, U_(errstr));
 		goto bad;
 	    }
-	    gid_set = true;
 	    continue;
 	}
 	if (MATCHES(*cur, "groups=")) {
@@ -439,11 +439,11 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
 	sudo_warnx(U_("user name not set by sudo front-end"));
 	goto bad;
     }
-    if (!uid_set) {
+    if (user_uid == (uid_t)-1) {
 	sudo_warnx(U_("user-ID not set by sudo front-end"));
 	goto bad;
     }
-    if (!gid_set) {
+    if (user_gid == (gid_t)-1) {
 	sudo_warnx(U_("group-ID not set by sudo front-end"));
 	goto bad;
     }

src/sudo.c

@@ -553,12 +553,18 @@ get_user_info(struct user_details *ud)
 	goto oom;
     if (asprintf(&user_info[++i], "ppid=%d", (int)ud->ppid) == -1)
 	goto oom;
-    if (asprintf(&user_info[++i], "pgid=%d", (int)ud->pgid) == -1)
+    if (ud->pgid != -1) {
-	goto oom;
+	if (asprintf(&user_info[++i], "pgid=%d", (int)ud->pgid) == -1)
-    if (asprintf(&user_info[++i], "tcpgid=%d", (int)ud->tcpgid) == -1)
+	    goto oom;
-	goto oom;
+    }
-    if (asprintf(&user_info[++i], "sid=%d", (int)ud->sid) == -1)
+    if (ud->tcpgid != -1) {
-	goto oom;
+	if (asprintf(&user_info[++i], "tcpgid=%d", (int)ud->tcpgid) == -1)
+	    goto oom;
+    }
+    if (ud->sid != -1) {
+	if (asprintf(&user_info[++i], "sid=%d", (int)ud->sid) == -1)
+	    goto oom;
+    }
     if (asprintf(&user_info[++i], "uid=%u", (unsigned int)ud->uid) == -1)
 	goto oom;
     if (asprintf(&user_info[++i], "euid=%u", (unsigned int)ud->euid) == -1)