NFS home dirs and sudo

Rudert, Thomas Thomas.Rudert at drkw.com
Tue Jul 30 06:20:33 EDT 2002 

Howard,

sorry for my late reply and many thanks for your effort.

The script works with commands like "more" and "find", but does not come
back with anything if you want to use "vi", "visudo" or "format", so I have
to interrupt the command.
In the case when I tried visudo, I got the following error message back:

/usr/local/sbin/visudo: Editor (/usr/bin/vi) failed, /etc/sudoers unchanged.

It sounds like an environment problem, but at the moment I am a bit lost
what it could be.

Any more ideas?

Thanks again,

Thomas 

> -----Original Message-----
> From:	Howard Owen [SMTP:hbo at egbok.com]
> Sent:	Sunday, July 28, 2002 02:55
> To:	Rudert, Thomas
> Cc:	'sudo-users at sudo.ws'
> Subject:	Re: NFS home dirs and sudo 
> 
> Hmm. This acts like the attempt to read the cwd is always done by
> root regardless. Perhaps he does have an older version...
> 
> Thomas, it sounds like the root (heh) cause of your problem is that your
> NFS mounted home has root mapped to nobody. This means that accesses
> to your home by root are mapped to a user with no privs at all. This
> is a common way to increase the security of NFS servers. If root could
> write to the directories these servers export, then root on a client
> could do bad things to the shares.
> 
> Todd says more recent versions of sudo may prevent you from seeing the
> error, because these versions try to read the CWD as the user, before
> trying
> as root. He also adds the caveat that programs you run with sudo, and 
> therefore
> as root, may get cranky if they can't read the CWD. A work around could be
> 
> something
> like the following Perl script:
> 
> #!/usr/bin/perl
> $pwd=`/bin/pwd`; #works on Linux, BSD and Solaris
> if ($ENV{HOME}=~/$pwd/) { # is the current dir under my home?
>   chdir "/tmp"; # go somewhere root can read
>   $chdired=1; # and flag that we did so
> }
> $cmd=join " ", at ARGV; # all the arguments. (perl doesen't put prog name in 
> $ARGV[0])
> print `sudo $cmd`; # execute the command with sudo
> chdir $pwd if ($chdired); # cd back if we cd'd in the first place.
> 
> 
> --On Friday, July 26, 2002 04:46:40 PM -0600 "Todd C. Miller" 
> <Todd.Miller at courtesan.com> wrote:
> 
> > That shouldn't be a fatal error--at least not in recent versions
> > of sudo.  Sudo will try to get the current working directory first
> > as the calling user, and, if that fails, as root.  If that didn't
> > work it will print "sudo: Can't get working directory!" and continue.
> > Note, however, that not all command are happy about not being able
> > to read the current working directory.
> >
> >  - todd
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws>
> > For list information, options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
> >
> 
> 
> 
> Howard Owen                    "Even if you are on the right
> EGBOK Consultants               track, you'll get run over if you
> hbo at egbok.com  +1-650-339-5733  just sit there." - Will Rogers


If you have received this e-mail in error or wish to read our e-mail disclaimer 
statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ 
or contact the sender

More information about the sudo-users mailing list