[sudo-users] possible sudo bug?

Wing Ho Tang Wingho.Tang at coles.com.au
Tue Nov 20 02:12:08 EST 2007


We've recently upgraded from sudo 1.5.6p4 to sudo 1.6.9p12 and have experienced some odd behaviour.. 

Previously we weren't getting errors, but now when we execute the same code we get the following:
sudo: /opt/bin/test.ksh: command not found

Setup can be illustrated is as follows:

bob, who is unprivleged.. has sudo access to run anything as tony (ie., in sudoers "bob   host=(tony) NOPASSWD: ALL")
tony, who is privleged by being in group bin.. can execute /opt/bin/test.ksh

/opt/bin directory permissions and ownership.. 
drwxrwxr--   2 bin      bin             256 Nov 20 13:50 bin  

/opt/bin/test.ksh permissions and ownership
-rwxr-x---   1 bin      bin              30 Nov 20 13:50 test.ksh

As bob, when we do the following, we get the error:
/usr/contrib/bin/sudo -H -u tony /opt/bin/test.ksh
sudo: /opt/bin/test.ksh: command not found

But.. if do the following we can list the file as bob:
/usr/contrib/bin/sudo -H -u tony ls -al  /opt/bin/test.ksh
-rwxr-x---   1 bin      bin              30 Nov 20 13:50 test.ksh

To "fix" this, we have had to add execute permissions to the /opt/bin directory
ie., we have had to change this:
drwxrwxr--   2 bin      bin             256 Nov 20 13:50 bin  
to this:
drwxrwxr-x   2 bin      bin             256 Nov 20 13:50 bin  


Previously, in version 1.5.6, the execute permission on the directory did not have to be set and it was working happily. 

Could this be related to change item "603 - When searching for the command, sudo now uses the effective gid of the runas user."?
I'm suspecting it is using the real gid (instead of effective gid as stated) to look at the directory the command is in and therefore failing. 


TIA!

Wing

This email and any attachments may contain privileged and confidential information and are intended for the named addressee only. If you have received this e-mail in error, please notify the sender and delete this e-mail immediately. Any confidentiality, privilege or copyright is not waived or lost because this e-mail has been sent to you in error. It is your responsibility to check this e-mail and any attachments for viruses.  No warranty is made that this material is free from computer virus or any other defect or error.  Any loss/damage incurred by using this material is not the sender's responsibility.  The sender's entire liability will be limited to resupplying the material.



More information about the sudo-users mailing list