[sudo-users] Strange behavior when execute bit is missing
jw at raven.inka.de
Mon Apr 24 16:10:10 EDT 2006
Thanks for your answer, Bob!
On Sun, Apr 23, 2006 at 09:50:24AM -0600, Bob Proulx wrote:
> > I have the following line in /etc/sudoers:
> > naclt ALL = NOPASSWD: /usr/local/bin/naclient
> Seems reasonable to me.
> > This (perl) script is meant to be executed from a different host's crontab
> > via
> > ssh -i foobar naclt at host.do.main sudo /usr/local/bin/naclient parameters
> What is the #! line in your script?
#! /usr/bin/perl -wT
I don't think it is a problem with the shebang, since it works as expected
when mode is correctly set to 700.
> > By accident, I have installed /usr/local/bin/naclient with mode 600 instead
> > of mode 700. With this, sudo hangs waiting for the password, effectively
> > ignoring my NOPASSWD: setting. Since this was executed from cron, I had
> > lots of hanging processes.
> I am curious what command is logged to /var/log/auth.log, if any
> messages are logged there.
sudo: naclt : TTY=unknown ; PWD=/home/naclt ; USER=root ; COMMAND=/usr/local/bin/naclient
> Mode 0600 is only readable by the user of the file. Is the user of
> the file 'naclt'? Because otherwise it would be unreadable.
-rw------- 1 root naclt 8779 Apr 20 23:19 naclient
I don't understand why this should make any difference. It works as
expected with mode 700 (since target user root can execute). But it
asks for a password with mode 600 (since target user root can read, but
can't execute). Sudo should not ask for a password (since there's nobody
who could supply a password from the crontab). Instead, it should error
out with "permission denied" or something like that.
I don't understand why naclt should be able to read/execute the file
when it is meant to be run as root. I don't want the file to be
readable/executable by non-root (call me paranoid ;-)
> > I would have expected something like "No permission" error if the target
> > user (root in this case) don't have sufficient permissions to execute the
> > program.
> > BTW: this is sudo-1.6.8p7 on debian sarge.
> I tried your example on my system and I could not recreate the exact
> problem that you reported.
> ls -ldog /usr/local/bin/naclient
> -rw-r--r-- 1 51 2006-04-23 09:44 /usr/local/bin/naclient
> cat /usr/local/bin/naclient
> print "Hello from perl script\n";
> sudo /usr/local/bin/naclient
> sudo: /usr/local/bin/naclient: command not
Is this "command not found"? I don't understand this, too. The command
is in place. But it can't be executed since the executable bit is missing.
I just tried with mode 644, and it asks for password again.
> This makes me believe there is
> something interesting about your #! line which is pertinent in this
> case. Can you check it? I think somehow sudo is being invoked on a
> different command.
I checked, and it looks OK to me. And it works as expected with mode 700.
PS: As a workaround, it would be sufficient if the password prompt would
time out (thus avoiding endless hang). Is there a way to specify a timeout
for the password prompt?
More information about the sudo-users