[sudo-users] Filename globbing in /etc/sudoers causes very slow sudo command execution.
holt at sgi.com
Mon Feb 9 12:48:15 EST 2009
We recently upgraded a system which had a vendor provided sudo 1.6.8p12.
Their upgraded install has sudo 1.6.9p17. Following the upgrade we
found that the time to do; date; sudo date; date would give us many
minutes between the first and second date output lines. We narrowed it
down to /etc/sudoers lines that contain '*' in them.
These lines allow users to set up a build environment. We realize they
are not entirely safe, but they are adequate to prevent people from
making mistakes that could wipe out a system. Unfortunately, the users
do need root to do the setups.
According to the sudoers man page, filename matching is supposed to be
done with fnmatch. If I write a simple program that uses fnmatch(),
that does resolve true/false very quickly. Likewise, if I recompile the
1.6.8p12 version for the newly installed OS, the problem is resolved.
The glob lines expand directories that may be autofs mounted nfs mounts
from other hosts. The group of build servers has a collective storage
size on the order of 30TB.
If I strace the sudo command, I do see it opening each file, stat'ing
it, closing it, etc. With the old command, it runs too quickly for me
to find its pid and attach.
More information about the sudo-users