[sudo-users] Owner sudo process

Tue Sep 3 03:28:27 MDT 2013

Hello,

  We are currently conducting an upgrade of one of our business tools.The
old version use linux red hat ES 4.9 with sudo 1.6.7p5. The new version use
linux red hat ES 6.4 with sudo 1.8.6p3.

On the old version, if you do a "ps" sudo process it belongs to the target
user:
[user @ oldserv ~] $ sudo -u usertest sqlplus /

[root @ oldserv ~] # ps-ef | grep sqlplus
usertest 30871 30811 0 10:47 pts / 4 0:00:00 sesh /
u01/app/oracle/product/10.1.0/Db_1/bin/sqlplus /
usertest 30873 30871 0 10:47 pts / 4 0:00:00 /
u01/app/oracle/product/10.1.0/Db_1/bin/sqlplus

On the new version, there is a process that belongs to sudo root.
[root @ newserv ~] # ps-ef | grep sqlplus
root 46560 46421 0 10:45 pts / 0 0:00:00 sudo-u usertest sqlplus /
usertest 46562 46560 0 10:45 pts / 0 0:00:00 sqlplus

Is it possible to continue to have the behavior of the old version? We have
many impacts of this change.

I try differents solutions like togle '-P' on sudo command and
"stay_setuid" in /etc/sudo.conf. Do you have any clue to solve my problem ?

You can found below the sudo configuration :
[root at newserv ~]# sudo -V
Sudo version 1.8.6p3
Configure options: --build=x86_64-redhat-linux-gnu
--host=x86_64-redhat-linux-gnu --target=x86_64-redhat-linux-gnu
--program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin
--sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share
--includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec
--localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man
--infodir=/usr/share/info --prefix=/usr --sbindir=/usr/sbin
--libdir=/usr/lib64 --docdir=/usr/share/doc/sudo-1.8.6p3
--with-logging=syslog --with-logfac=authpriv --with-pam --with-pam-login
--with-editor=/bin/vi --with-env-editor --with-ignore-dot
--with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/sudo-ldap.conf
--with-selinux --with-passprompt=[sudo] password for %p:
--with-linux-audit --with-sssd
Sudoers policy plugin version 1.8.6p3
Sudoers file grammar version 42

Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Ignore '.' in $PATH
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Always set $HOME to the target user's home directory
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5.0 minutes
Password prompt timeout: 5.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/db/sudo
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Path to the editor for use by visudo: /bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
        TERM
        LINGUAS
        LC_*
        LANGUAGE
        LANG
        COLORTERM
Environment variables to remove:
        RUBYOPT
        RUBYLIB
        PYTHONUSERBASE
        PYTHONINSPECT
        PYTHONPATH
        PYTHONHOME
        TMPPREFIX
        ZDOTDIR
        READNULLCMD
        NULLCMD
        FPATH
        PERL5DB
        PERL5OPT
        PERL5LIB
        PERLLIB
        PERLIO_DEBUG
        JAVA_TOOL_OPTIONS
        SHELLOPTS
        GLOBIGNORE
        PS4
        BASH_ENV
        ENV
        TERMCAP
        TERMPATH
        TERMINFO_DIRS
        TERMINFO
        _RLD*
        LD_*
        PATH_LOCALE
        NLSPATH
        HOSTALIASES
        RES_OPTIONS
        LOCALDOMAIN
        CDPATH
        IFS
Environment variables to preserve:
        PATH
        ORACLE_SID
        ORACLE_BASE
        ORACLE_HOME
        XAUTHORITY
        _XKB_CHARSET
        LINGUAS
        LANGUAGE
        LC_ALL
        LC_TIME
        LC_TELEPHONE
        LC_PAPER
        LC_NUMERIC
        LC_NAME
        LC_MONETARY
        LC_MESSAGES
        LC_MEASUREMENT
        LC_IDENTIFICATION
        LC_COLLATE
        LC_CTYPE
        LC_ADDRESS
        LANG
        USERNAME
        QTDIR
        PS2
        PS1
        MAIL
        LS_COLORS
        KDEDIR
        INPUTRC
        HISTSIZE
        HOSTNAME
        DISPLAY
        COLORS
Locale to use while parsing sudoers: C
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty

Local IP address and netmask pairs:
        x.x.x.x/255.255.255.0
        xxxx/ffff:ffff:ffff:ffff::

Sudoers I/O plugin version 1.8.6p3

Best Regards