On 10/7/2010 9:25 PM, Tom H wrote:
On Thu, Oct 7, 2010 at 7:20 PM, David Goldsmith dgoldsmith@sans.org wrote:
Two servers, each have normal user umask values of 0077 and root umask values on 0022.
On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from base), here are the results of touching a file as a user, as root and as a user sudoing to root:
user: touch file - result is 600 root: touch file - result is 644 user: sudo touch file - result is 644
On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from updates), here are the results of the same actions:
user: touch file - result is 600 root: touch file - result is 644 user: sudo touch file - result is 600 ** this differs **
On the second system, if I downgrade sudo to the base version, it behaves the same as on the first server, so this appears to be sudo version specific rather than an i386 vs x86-64 difference.
Looking at the changelogs at the package home site, I don't see anything obvious that covers this change:
http://www.courtesan.com/sudo/stable.html#1.7.0 http://www.courtesan.com/sudo/stable.html#1.7.1 http://www.courtesan.com/sudo/stable.html#1.7.2
Does anyone know how to change the behavior with the umask values when using the newer version of sudo?
This is causing us some issues when sudoing to update an SVN working directory used by our Puppet server.
Check for a "umask" variable/line in the two installs' /etc/sudoers file.
"grep -i mask /etc/sudoers" on both servers gets no hits.
David Goldsmith