[sudo-users] possible sudo bug?

Russell Van Tassell russell+sudo-users at loosenut.com
Tue Nov 20 04:33:57 EST 2007


On Tue, Nov 20, 2007 at 06:12:08PM +1100, Wing Ho Tang wrote:
> 
> We've recently upgraded from sudo 1.5.6p4 to sudo 1.6.9p12 and have experienced some odd behaviour.. 
> 
> Previously we weren't getting errors, but now when we execute the same code we get the following:
> sudo: /opt/bin/test.ksh: command not found
> 
>   [...]
> 
> To "fix" this, we have had to add execute permissions to the /opt/bin directory
> ie., we have had to change this:
> drwxrwxr--   2 bin      bin             256 Nov 20 13:50 bin  
> to this:
> drwxrwxr-x   2 bin      bin             256 Nov 20 13:50 bin  
> 
> 
> Previously, in version 1.5.6, the execute permission on the directory did not have to be set and it was working happily. 
> 
> Could this be related to change item "603 - When searching for the command, sudo now uses the effective gid of the runas user."?
> I'm suspecting it is using the real gid (instead of effective gid as stated) to look at the directory the command is in and therefore failing. 

Sounds not so much like a bug, but a feature... otherwise there's a
conceiveable dictionary attack against a directory, I'd figure (not to
mention other things I'm sure folks might think up, were it not 4:30am
here... *laugh*)

Oh, and as per your example, looks like you added both read and execute
perms rather than simply execute -- the later should be sufficient, I'd
think.  You might also get some utils (such as sendmail) complaining
about the unsafe group perms there, depending.

Interesting "catch" though...


-- 
Russell M. Van Tassell
russell at loosenut.com

"Some are born to move the world To live their fantasies, But most of us
 just dream about The things we'd like to be. Sadder still to watch it
 die Than never to have known it For you, the blind who once could see,
 The bell tolls for thee..."                                  - N. Peart



More information about the sudo-users mailing list