[sudo-users] possible sudo bug?

Russell Van Tassell russell+sudo-users at loosenut.com
Wed Nov 21 23:11:34 EST 2007


Just a quick point-of-order, here... your world directory perms say
read, not execute (search); so shouldn't be part of the equation, in
theory?

On Wed, Nov 21, 2007 at 12:27:27PM +1100, Wing Ho Tang wrote:
> 
> howdy,
> 
> I also suspected the same in that the user tony didn't have his primary group set to bin. 
> Just tested this again.. and we still get the command not found error. 
> I'm suspecting that even tho the effective gid should be used for the search path, its only being used against the final command itself and the real gid is being used for the path checking
> 
> I've done a bit more testing to show that the real GID is used when checking the path of the script.. i changed the group of the directory to dba, and put dba as secondary groups for bob and tony. This means that the bob has access to the directory but not the script. 
> 
> The setup was as follows:
> bob, who is unprivleged.. has sudo access to run anything as tony (ie., in sudoers "bob   host=(tony) NOPASSWD: ALL") and part of group dba
> tony, who is privleged by being in group bin.. can execute /opt/bin/test.ksh, also part of group dba
> 
> 
> /opt/bin directory permissions and ownership.. 
> drwxrwxr--   2 bin      dba             256 Nov 20 13:50 bin  
> 
> /opt/bin/test.ksh permissions and ownership
> -rwxr-x---   1 bin      bin              30 Nov 20 13:50 test.ksh
> 
> In this instance the sudo command worked.. I guess this is similar to giving bob execute access to the bin directory via setting execute bit for other on the directory. 
> 
> cheers,
> wing

-- 
Russell M. Van Tassell
russell at loosenut.com

"When you go fishing with a driftnet, sometimes you catch a dolphin."
 - An RIAA spokesperson,  when asked about the spectacle of file-sharing
   lawsuits against innocent grandparents.



More information about the sudo-users mailing list