[sudo-users] One logic, two results

Vladimir A. Pavlov pv4 at bk.ru
Sat Jul 1 12:42:37 EDT 2006

Hi, all!

I try to create a secure linux system and sudo is supposed to help me in 
doing so.

But when running/configuring sudo I have a problem with certain 
folders/files permissions.

I have the following hierarchy which seems to be secure enough for the 
purposes it would be used for
rwxr-xr-x		root:root		/
rwx--x--x		root:root		/folder1/
rwx--x---		root:group		/folder1/folder2/
rwx--x---		root:group		/folder1/folder2/prog

Then I'd like to execute the prog upon system start as follows
sudo -u user /folder1/folder2/prog

To accomplish this I
1. added user "user" to group "group"
2. created the following /etc/sudoers (note, it contains _only_ this 

root	localhost = (user) /folder1/folder2/prog

And... when running the command mentioned above I got "Sorry, user root 
is not allowed to execute '/folder1/folder2/prog' as user on 

Note please that both "root" and "user" can execute the command simply 
from the bash prompt because 
a) it's executable by "root" and belongs to it
b) it's executable by "user" 's group (which is "group")
c) I checked this :)

Then I found two different ways to solve the problem (you can use 
_either_ the first or the second one):
1. add "root" to group "group"
2. replace the shown record in /etc/sudoers with this one

root	localhost = (user) ALL

The latter way is rather stupid because in this case "root" can run any 
command as "user" whereas in the case of original /etc/sudoers it could 
run only the command it was really needed.

Logically both /etc/sudoers files are _similar_ while the results they 
give are quite opposite.

1. is it a sudo's bug or do I misunderstand something?
2. if it's my fault, can you please recommend me a way to solve the 
problem (for example, tell me please which of the found ways is a 
"standard" one).

btw, I use sudo-1.6.8p12.

Nothing but perfection

More information about the sudo-users mailing list