[sudo-users] Strange behavior when execute bit is missing

Bob Proulx bob at proulx.com
Mon Apr 24 17:46:31 EDT 2006 

Josef Wolf wrote:
> > >   naclt ALL = NOPASSWD: /usr/local/bin/naclient
> > >   ssh -i foobar naclt at host.do.main sudo /usr/local/bin/naclient parameters
> > Mode 0600 is only readable by the user of the file.  Is the user of
> > the file 'naclt'?  Because otherwise it would be unreadable.
> 
>    -rw-------  1 root  naclt 8779 Apr 20 23:19 naclient
> 
> I don't understand why this should make any difference.

I was incorrectly thinking that the sudo was to a non-root user and
expecting the file not to be readable.  But you are right, the root
user can read it here regardless.

> It works as expected with mode 700 (since target user root can
> execute).  But it asks for a password with mode 600 (since target
> user root can read, but can't execute).  Sudo should not ask for a
> password (since there's nobody who could supply a password from the
> crontab).  Instead, it should error out with "permission denied" or
> something like that.

> > > BTW: this is sudo-1.6.8p7 on debian sarge.

I don't see that with my installation of Debian Sarge stable. (shrug)
Unless someone else has ideas I think you will need to dig into it
deeper to figure out more.  But I get "command not found" when I try
it.  I find it very strange that your system and mine are producing
different results.  I think they should behave the same.

Try using strace.

  sudo strace -o /root/sudo.trace.out sudo /usr/local/bin/naclient parameters

There may be something useful in the system trace.  Don't know.  You
will need to sudo the strace because the strace of the sudo will not
have the suid bit anymore.

> >   sudo /usr/local/bin/naclient
> >   sudo: /usr/local/bin/naclient: command not
>                                                ^^^^^ ??
> Is this "command not found"?  I don't understand this, too.  The command
> is in place.  But it can't be executed since the executable bit is missing.

Sorry, I must have had a cut and paste error and did notice.  Yes, it
is "command not found".

> PS: As a workaround, it would be sufficient if the password prompt would
> time out (thus avoiding endless hang).  Is there a way to specify a timeout
> for the password prompt?

Don't know.

Bob

More information about the sudo-users mailing list