[sudo-users] possible sudo bug?

Wing Ho Tang Wingho.Tang at coles.com.au
Tue Nov 20 20:11:31 EST 2007


I totally agree that execute permissions alone is adequate.. but this is how the guys who look after the app have setup there permissions... 
its only failed on this PROD system cos on every other system they have execute set for other!
For some reason they wanted more security on PROD, hence the execute bit for other was not set and sudo was happy.. but it ain't happy no more.. :(  
ah well.. I told them they'll just have to live with the execute bit on other.. 
My concern is that other stuff configured in a similar way may break without us knowing...grrr...

cheers,
wing

-----Original Message-----
From: Russell Van Tassell [mailto:russell+sudo-users at loosenut.com]
Sent: Tuesday, 20 November 2007 8:34 PM
To: Wing Ho Tang
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] possible sudo bug?


On Tue, Nov 20, 2007 at 06:12:08PM +1100, Wing Ho Tang wrote:
> 
> We've recently upgraded from sudo 1.5.6p4 to sudo 1.6.9p12 and have experienced some odd behaviour.. 
> 
> Previously we weren't getting errors, but now when we execute the same code we get the following:
> sudo: /opt/bin/test.ksh: command not found
> 
>   [...]
> 
> To "fix" this, we have had to add execute permissions to the /opt/bin directory
> ie., we have had to change this:
> drwxrwxr--   2 bin      bin             256 Nov 20 13:50 bin  
> to this:
> drwxrwxr-x   2 bin      bin             256 Nov 20 13:50 bin  
> 
> 
> Previously, in version 1.5.6, the execute permission on the directory did not have to be set and it was working happily. 
> 
> Could this be related to change item "603 - When searching for the command, sudo now uses the effective gid of the runas user."?
> I'm suspecting it is using the real gid (instead of effective gid as stated) to look at the directory the command is in and therefore failing. 

Sounds not so much like a bug, but a feature... otherwise there's a
conceiveable dictionary attack against a directory, I'd figure (not to
mention other things I'm sure folks might think up, were it not 4:30am
here... *laugh*)

Oh, and as per your example, looks like you added both read and execute
perms rather than simply execute -- the later should be sufficient, I'd
think.  You might also get some utils (such as sendmail) complaining
about the unsafe group perms there, depending.

Interesting "catch" though...


-- 
Russell M. Van Tassell
russell at loosenut.com

"Some are born to move the world To live their fantasies, But most of us
 just dream about The things we'd like to be. Sadder still to watch it
 die Than never to have known it For you, the blind who once could see,
 The bell tolls for thee..."                                  - N. Peart

This email and any attachments may contain privileged and confidential information and are intended for the named addressee only. If you have received this e-mail in error, please notify the sender and delete this e-mail immediately. Any confidentiality, privilege or copyright is not waived or lost because this e-mail has been sent to you in error. It is your responsibility to check this e-mail and any attachments for viruses.  No warranty is made that this material is free from computer virus or any other defect or error.  Any loss/damage incurred by using this material is not the sender's responsibility.  The sender's entire liability will be limited to resupplying the material.



More information about the sudo-users mailing list