sudo and links

Todd C. Miller Todd.Miller at
Tue Sep 19 23:46:38 EDT 2000

In message <Pine.SGI.4.21.0009191753230.35367-100000 at>
	so spake Steve Freed (sfreed):

> I'm trying to figure out how sudo handles links.
> Example:
>  % ls -log /usr/bin/chown
>    lrwxr-xr-x    1      16 Dec 23  1999 /usr/bin/chown -> /sbin/chown
>  % ls -log /sbin/chown
>    -rwxr-xr-x    1   14104 Oct  1  1999 /sbin/chown*
> If a user has permission to execute /usr/bin/chown as root in sudo, will
> it work? Even if they don't have permission for /sbin/chown?
> If they have permission for /sbin/chown but not /usr/bin/chown what
> then? Does it follow the link and let them?
> I can see arguements for having it both ways. Which way does it really
> work?

It follows the link.  Sudo stats the file in question and compares
it to commands listed in sudoers with the same basename.  To see
if the files are the same it stats the two files and compares the
device and inode numbers.

 - todd

More information about the sudo-users mailing list