[sudo-users] possible sudo bug?

Wing Ho Tang Wingho.Tang at coles.com.au
Tue Nov 20 20:27:27 EST 2007


I also suspected the same in that the user tony didn't have his primary group set to bin. 
Just tested this again.. and we still get the command not found error. 
I'm suspecting that even tho the effective gid should be used for the search path, its only being used against the final command itself and the real gid is being used for the path checking

I've done a bit more testing to show that the real GID is used when checking the path of the script.. i changed the group of the directory to dba, and put dba as secondary groups for bob and tony. This means that the bob has access to the directory but not the script. 

The setup was as follows:
bob, who is unprivleged.. has sudo access to run anything as tony (ie., in sudoers "bob   host=(tony) NOPASSWD: ALL") and part of group dba
tony, who is privleged by being in group bin.. can execute /opt/bin/test.ksh, also part of group dba

/opt/bin directory permissions and ownership.. 
drwxrwxr--   2 bin      dba             256 Nov 20 13:50 bin  

/opt/bin/test.ksh permissions and ownership
-rwxr-x---   1 bin      bin              30 Nov 20 13:50 test.ksh

In this instance the sudo command worked.. I guess this is similar to giving bob execute access to the bin directory via setting execute bit for other on the directory. 


-----Original Message-----
From: Todd C. Miller [mailto:Todd.Miller at courtesan.com]
Sent: Wednesday, 21 November 2007 7:32 AM
To: Wing Ho Tang
Cc: sudo-users at sudo.ws
Subject: Re: [sudo-users] possible sudo bug? 

In the past, sudo searched the path for the command as root.
Currently, this is done as the user the command is being run as.

My guess is that the problem arises from the fact that while user
tony may be in group bin, bin is not his primary group (as listed
in the passwd database).  It is the primary group that is set to
be the effective gid for the path search.

It should be possible for sudo to use the auxiliary groups during
the path search.  This would require stashing the existing group
vector, calling initgroups() and then restoring the old group vector.

 - todd

This email and any attachments may contain privileged and confidential information and are intended for the named addressee only. If you have received this e-mail in error, please notify the sender and delete this e-mail immediately. Any confidentiality, privilege or copyright is not waived or lost because this e-mail has been sent to you in error. It is your responsibility to check this e-mail and any attachments for viruses.  No warranty is made that this material is free from computer virus or any other defect or error.  Any loss/damage incurred by using this material is not the sender's responsibility.  The sender's entire liability will be limited to resupplying the material.

More information about the sudo-users mailing list