[sudo-users] Sudo/systemd behavior change

Joe DiTommasso joe at ditommasso.com
Tue Feb 5 16:46:31 MST 2019 

Hi, I've just run into a behavior change with sudo and systemd after
upgrading from CentOS 7.5 to 7.6. Sudo version change was from
1.8.19p2-14.el7_5 to 1.8.23-3.el7. Here's my minimal reproduction:

[root at host ~]# cat /usr/lib/systemd/system/sudo-test.service
[Unit]
Description=Sudo test

[Service]
WorkingDirectory=/tmp
ExecStart=/tmp/sudo-test.sh
TimeoutStopSec=10
User=joe

[root at host ~]# cat /tmp/sudo-test.sh
#!/bin/env bash
sudo sleep 300

Old version:
[root at nitrogen ~]# rpm -qa | grep sudo
sudo-1.8.19p2-14.el7_5.x86_64
[root at host ~]# systemctl status sudo-test
#!/bin/env bash
● sudo-test.service - Sudo test
   Loaded: loaded (/usr/lib/systemd/system/sudo-test.service; static;
vendor preset: disabled)
   Active: active (running) since Tue 2019-02-05 23:23:04 UTC; 4s ago
 Main PID: 29877 (bash)
   CGroup: /system.slice/sudo-test.service
           ├─29877 bash /tmp/sudo-test.sh
           ├─29878 sudo sleep 300
           └─29885 sleep 300

All child processes show up in the same cgroup.

New version:
[root at nitrogen ~]# rpm -qa | grep sudo
sudo-1.8.23-3.el7.x86_64
[root at host ~]# systemctl start sudo-test
[root at host ~]# systemctl status sudo-test
● sudo-test.service - Sudo test
   Loaded: loaded (/usr/lib/systemd/system/sudo-test.service; static;
vendor preset: disabled)
   Active: active (running) since Tue 2019-02-05 23:27:41 UTC; 3s ago
 Main PID: 30091 (bash)
   CGroup: /system.slice/sudo-test.service
           └─30091 bash /tmp/sudo-test.sh

Feb 05 23:27:41 host systemd[1]: Started Sudo test.
Feb 05 23:27:41 host sudo[30092]:      joe : TTY=unknown ; PWD=/tmp ;
USER=root ; COMMAND=/bin/sleep 300
[root at host ~]# pgrep -alf sleep
30092 sudo sleep 300
30101 sleep 300
[root at host ~]# systemctl status 30092
● session-c1.scope - Session c1 of user root
   Loaded: loaded (/run/systemd/system/session-c1.scope; static; vendor
preset: disabled)
  Drop-In: /run/systemd/system/session-c1.scope.d
           └─50-After-systemd-logind\x2eservice.conf,
50-After-systemd-user-sessions\x2eservice.conf, 50-Description.conf,
50-SendSIGHUP.conf, 50-Slice.conf, 50-TasksMax.conf
   Active: active (running) since Tue 2019-02-05 23:27:41 UTC; 17s ago
   CGroup: /user.slice/user-0.slice/session-c1.scope
           ├─30092 sudo sleep 300
           └─30101 sleep 300

Only the initial bash script is in the systemd-managed cgroup, meaning
'systemctl
stop sudo-test' leaves the children in an unmanaged state. The other child
processes are in a new root user slice. I'm aware that what we're doing
with a non-root service calling sudo is probably an antipattern, but we're
in the process of moving away from sudo and weren't expecting this change
in behavior. Is this an expected change? Let me know if there's any other
information you need.

Joe

More information about the sudo-users mailing list