Two servers, each have normal user umask values of 0077 and root umask values on 0022.
On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from base), here are the results of touching a file as a user, as root and as a user sudoing to root:
user: touch file - result is 600 root: touch file - result is 644 user: sudo touch file - result is 644
On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from updates), here are the results of the same actions:
user: touch file - result is 600 root: touch file - result is 644 user: sudo touch file - result is 600 ** this differs **
On the second system, if I downgrade sudo to the base version, it behaves the same as on the first server, so this appears to be sudo version specific rather than an i386 vs x86-64 difference.
Looking at the changelogs at the package home site, I don't see anything obvious that covers this change:
http://www.courtesan.com/sudo/stable.html#1.7.0 http://www.courtesan.com/sudo/stable.html#1.7.1 http://www.courtesan.com/sudo/stable.html#1.7.2
Does anyone know how to change the behavior with the umask values when using the newer version of sudo?
This is causing us some issues when sudoing to update an SVN working directory used by our Puppet server.
Thanks, David Goldsmith
On Thu, Oct 7, 2010 at 7:20 PM, David Goldsmith dgoldsmith@sans.org wrote:
Two servers, each have normal user umask values of 0077 and root umask values on 0022.
On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from base), here are the results of touching a file as a user, as root and as a user sudoing to root:
user: touch file - result is 600 root: touch file - result is 644 user: sudo touch file - result is 644
On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from updates), here are the results of the same actions:
user: touch file - result is 600 root: touch file - result is 644 user: sudo touch file - result is 600 ** this differs **
On the second system, if I downgrade sudo to the base version, it behaves the same as on the first server, so this appears to be sudo version specific rather than an i386 vs x86-64 difference.
Looking at the changelogs at the package home site, I don't see anything obvious that covers this change:
http://www.courtesan.com/sudo/stable.html#1.7.0 http://www.courtesan.com/sudo/stable.html#1.7.1 http://www.courtesan.com/sudo/stable.html#1.7.2
Does anyone know how to change the behavior with the umask values when using the newer version of sudo?
This is causing us some issues when sudoing to update an SVN working directory used by our Puppet server.
Check for a "umask" variable/line in the two installs' /etc/sudoers file.
On 10/7/2010 9:25 PM, Tom H wrote:
On Thu, Oct 7, 2010 at 7:20 PM, David Goldsmith dgoldsmith@sans.org wrote:
Two servers, each have normal user umask values of 0077 and root umask values on 0022.
On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from base), here are the results of touching a file as a user, as root and as a user sudoing to root:
user: touch file - result is 600 root: touch file - result is 644 user: sudo touch file - result is 644
On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from updates), here are the results of the same actions:
user: touch file - result is 600 root: touch file - result is 644 user: sudo touch file - result is 600 ** this differs **
On the second system, if I downgrade sudo to the base version, it behaves the same as on the first server, so this appears to be sudo version specific rather than an i386 vs x86-64 difference.
Looking at the changelogs at the package home site, I don't see anything obvious that covers this change:
http://www.courtesan.com/sudo/stable.html#1.7.0 http://www.courtesan.com/sudo/stable.html#1.7.1 http://www.courtesan.com/sudo/stable.html#1.7.2
Does anyone know how to change the behavior with the umask values when using the newer version of sudo?
This is causing us some issues when sudoing to update an SVN working directory used by our Puppet server.
Check for a "umask" variable/line in the two installs' /etc/sudoers file.
"grep -i mask /etc/sudoers" on both servers gets no hits.
David Goldsmith
On Thu, Oct 7, 2010 at 9:48 PM, David Goldsmith dgoldsmith@sans.org wrote:
On 10/7/2010 9:25 PM, Tom H wrote:
On Thu, Oct 7, 2010 at 7:20 PM, David Goldsmith dgoldsmith@sans.org wrote:
Two servers, each have normal user umask values of 0077 and root umask values on 0022.
On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from base), here are the results of touching a file as a user, as root and as a user sudoing to root:
user: touch file - result is 600 root: touch file - result is 644 user: sudo touch file - result is 644
On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from updates), here are the results of the same actions:
user: touch file - result is 600 root: touch file - result is 644 user: sudo touch file - result is 600 ** this differs **
On the second system, if I downgrade sudo to the base version, it behaves the same as on the first server, so this appears to be sudo version specific rather than an i386 vs x86-64 difference.
Looking at the changelogs at the package home site, I don't see anything obvious that covers this change:
http://www.courtesan.com/sudo/stable.html#1.7.0 http://www.courtesan.com/sudo/stable.html#1.7.1 http://www.courtesan.com/sudo/stable.html#1.7.2
Does anyone know how to change the behavior with the umask values when using the newer version of sudo?
This is causing us some issues when sudoing to update an SVN working directory used by our Puppet server.
Check for a "umask" variable/line in the two installs' /etc/sudoers file.
"grep -i mask /etc/sudoers" on both servers gets no hits.
Any differences in the env_keep, env_delete, env_check settings (if they are used) in sudoers?
On 10/7/2010 9:59 PM, Tom H wrote:
On Thu, Oct 7, 2010 at 9:48 PM, David Goldsmith dgoldsmith@sans.org wrote:
On 10/7/2010 9:25 PM, Tom H wrote:
On Thu, Oct 7, 2010 at 7:20 PM, David Goldsmith dgoldsmith@sans.org wrote:
Two servers, each have normal user umask values of 0077 and root umask values on 0022.
On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from base), here are the results of touching a file as a user, as root and as a user sudoing to root:
user: touch file - result is 600 root: touch file - result is 644 user: sudo touch file - result is 644
On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from updates), here are the results of the same actions:
user: touch file - result is 600 root: touch file - result is 644 user: sudo touch file - result is 600 ** this differs **
On the second system, if I downgrade sudo to the base version, it behaves the same as on the first server, so this appears to be sudo version specific rather than an i386 vs x86-64 difference.
Looking at the changelogs at the package home site, I don't see anything obvious that covers this change:
http://www.courtesan.com/sudo/stable.html#1.7.0 http://www.courtesan.com/sudo/stable.html#1.7.1 http://www.courtesan.com/sudo/stable.html#1.7.2
Does anyone know how to change the behavior with the umask values when using the newer version of sudo?
This is causing us some issues when sudoing to update an SVN working directory used by our Puppet server.
Check for a "umask" variable/line in the two installs' /etc/sudoers file.
"grep -i mask /etc/sudoers" on both servers gets no hits.
Any differences in the env_keep, env_delete, env_check settings (if they are used) in sudoers?
Both servers have the same defaults settings:
# Defaults specification Defaults log_year, logfile=/var/log/sudo.log Defaults loglinelen=0 Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \ LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \ LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \ LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \ LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \ _XKB_CHARSET XAUTHORITY"
David Goldsmith
On Thu, Oct 7, 2010 at 11:35 PM, David Goldsmith dgoldsmith@sans.org wrote:
On 10/7/2010 9:59 PM, Tom H wrote:
On Thu, Oct 7, 2010 at 9:48 PM, David Goldsmith dgoldsmith@sans.org wrote:
On 10/7/2010 9:25 PM, Tom H wrote:
On Thu, Oct 7, 2010 at 7:20 PM, David Goldsmith dgoldsmith@sans.org wrote:
Two servers, each have normal user umask values of 0077 and root umask values on 0022.
On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from base), here are the results of touching a file as a user, as root and as a user sudoing to root:
user: touch file - result is 600 root: touch file - result is 644 user: sudo touch file - result is 644
On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from updates), here are the results of the same actions:
user: touch file - result is 600 root: touch file - result is 644 user: sudo touch file - result is 600 ** this differs **
On the second system, if I downgrade sudo to the base version, it behaves the same as on the first server, so this appears to be sudo version specific rather than an i386 vs x86-64 difference.
Looking at the changelogs at the package home site, I don't see anything obvious that covers this change:
http://www.courtesan.com/sudo/stable.html#1.7.0 http://www.courtesan.com/sudo/stable.html#1.7.1 http://www.courtesan.com/sudo/stable.html#1.7.2
Does anyone know how to change the behavior with the umask values when using the newer version of sudo?
This is causing us some issues when sudoing to update an SVN working directory used by our Puppet server.
Check for a "umask" variable/line in the two installs' /etc/sudoers file.
"grep -i mask /etc/sudoers" on both servers gets no hits.
Any differences in the env_keep, env_delete, env_check settings (if they are used) in sudoers?
Both servers have the same defaults settings:
# Defaults specification Defaults log_year, logfile=/var/log/sudo.log Defaults loglinelen=0 Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \ LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \ LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \ LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \ LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \ _XKB_CHARSET XAUTHORITY"
Sorry. The "Defaults" suggestion was silly given that there was no umask setting.
I've looked through the man pages of 1.6.x and 1.7.x and the umask description is different:
For 1.6.x, the default is 0022.
For 1.7.x, the default is 0022 but "The actual umask that is used will be the union of the user's umask and 0022. This guarantees that sudo never lowers the umask when running a command."
From: David Goldsmith dgoldsmith@sans.org
On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from base), here are the results of touching a file as a user, as root and as a user sudoing to root: On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from updates), here are the results of the same actions:
Maybe check the release notes... http://www.sudo.ws/sudo/stable.html A quick look got: "A new Defaults option "umask_override" will cause sudo to set the umask specified in sudoers even if it is more permissive than the invoking user's umask. "
JD
On 10/8/2010 4:42 AM, John Doe wrote:
From: David Goldsmith dgoldsmith@sans.org
On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from base), here are the results of touching a file as a user, as root and as a user sudoing to root: On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from updates), here are the results of the same actions:
Maybe check the release notes... http://www.sudo.ws/sudo/stable.html A quick look got: "A new Defaults option "umask_override" will cause sudo to set the umask specified in sudoers even if it is more permissive than the invoking user's umask. "
JD
Ok, I missed that last bullet on changes from 1.7.0 to 1.7.1. However, on both servers, there is no umask_override line in the /etc/sudoers file and if I run "sudo -V" as root and grep for umask, I get the same output on both versions:
# sudo -V | grep -i umask Umask to use or 0777 to use user's: 022
So that would seem to me that it ought to have been using a umask of 022 resulting in test files with 644 permissions.
These sections from the sudoers man page on the each version seems to explain the difference:
1.6.9 man page:
umask Umask to use when running the command. Negate this option or set it to 0777 to preserve the userâs umask. The default is 0022.
1.7.2 man page:
umask_override If set, sudo will set the umask as specified by sudoers without modification. This makes it possible to specify a more permissive umask in sudoers than the userâs own umask and matches historical behavior. If umask_override is not set, sudo will set the umask to be the union of the userâs umask and what is specified in sudoers. This flag is off by default.
umask Umask to use when running the command. Negate this option or set it to 0777 to preserve the userâs umask. The actual umask that is used will be the union of the userâs umask and 0022. This guarantees that sudo never lowers the umask when running a command. Note on systems that use PAM, the default PAM configuration may specify its own umask which will override the value set in sudoers.
If I add "Defaults umask_override" in /etc/sudoers on the system with sudo 1.7.2, then the umask behavior I was expecting occurs -- "sudo touch file" results in a file with 644 perms (based on root's umask).
Since the sudo 1.6.9 systems don't like seeing that line in their config file, I either need to get all the systems upgraded to 1.7.2 or modify Puppet to push different versions of the /etc/sudoers depending on what version of sudo is installed.
Thanks for the responses.
David Goldsmith
David Goldsmith wrote on 10/08/2010 09:09 AM: ...
Since the sudo 1.6.9 systems don't like seeing that line in their config file, I either need to get all the systems upgraded to 1.7.2 or modify Puppet to push different versions of the /etc/sudoers depending on what version of sudo is installed.
And why would you NOT want to have the latest security and bug-fix updates, and get consistent behavior across the board as a bonus?
Phil
-
David Goldsmith -
John Doe -
Phil Schaffner -
Tom H