[sudo-users] Strange behavior when execute bit is missing

Josef Wolf jw at raven.inka.de
Mon Apr 24 16:10:10 EDT 2006

Thanks for your answer, Bob!

On Sun, Apr 23, 2006 at 09:50:24AM -0600, Bob Proulx wrote:
> > I have the following line in /etc/sudoers:
> >   naclt ALL = NOPASSWD: /usr/local/bin/naclient
> Seems reasonable to me.
> > This (perl) script is meant to be executed from a different host's crontab
> > via
> > 
> >   ssh -i foobar naclt at host.do.main sudo /usr/local/bin/naclient parameters
> Okay.
> What is the #! line in your script?

  #! /usr/bin/perl -wT

I don't think it is a problem with the shebang, since it works as expected
when mode is correctly set to 700.

> > By accident, I have installed /usr/local/bin/naclient with mode 600 instead
> > of mode 700.  With this, sudo hangs waiting for the password, effectively
> > ignoring my NOPASSWD: setting.  Since this was executed from cron, I had
> > lots of hanging processes.
> I am curious what command is logged to /var/log/auth.log, if any
> messages are logged there.

   sudo:   naclt : TTY=unknown ; PWD=/home/naclt ; USER=root ; COMMAND=/usr/local/bin/naclient

> Mode 0600 is only readable by the user of the file.  Is the user of
> the file 'naclt'?  Because otherwise it would be unreadable.

   -rw-------  1 root  naclt 8779 Apr 20 23:19 naclient

I don't understand why this should make any difference.  It works as
expected with mode 700 (since target user root can execute).  But it
asks for a password with mode 600 (since target user root can read, but
can't execute).  Sudo should not ask for a password (since there's nobody
who could supply a password from the crontab).  Instead, it should error
out with "permission denied" or something like that.

I don't understand why naclt should be able to read/execute the file
when it is meant to be run as root.  I don't want the file to be
readable/executable by non-root (call me paranoid ;-)

> > I would have expected something like "No permission" error if the target
> > user (root in this case) don't have sufficient permissions to execute the
> > program.
> > 
> > BTW: this is sudo-1.6.8p7 on debian sarge.
> I tried your example on my system and I could not recreate the exact
> problem that you reported.
>   ls -ldog /usr/local/bin/naclient
>   -rw-r--r--  1 51 2006-04-23 09:44 /usr/local/bin/naclient
>   cat /usr/local/bin/naclient
>   #!/usr/bin/perl
>   print "Hello from perl script\n";
>   sudo /usr/local/bin/naclient
>   sudo: /usr/local/bin/naclient: command not
                                               ^^^^^ ??
Is this "command not found"?  I don't understand this, too.  The command
is in place.  But it can't be executed since the executable bit is missing.

I just tried with mode 644, and it asks for password again.

> This makes me believe there is
> something interesting about your #! line which is pertinent in this
> case.  Can you check it?  I think somehow sudo is being invoked on a
> different command.

I checked, and it looks OK to me.  And it works as expected with mode 700.

PS: As a workaround, it would be sufficient if the password prompt would
time out (thus avoiding endless hang).  Is there a way to specify a timeout
for the password prompt?

More information about the sudo-users mailing list