[CentOS] sudo 1.6.9 versus sudo 1.7.2 behavioral differences with umask settings
David Goldsmith
dgoldsmith at sans.org
Fri Oct 8 13:09:35 UTC 2010
On 10/8/2010 4:42 AM, John Doe wrote:
> From: David Goldsmith <dgoldsmith at sans.org>
>
>> On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from
>> base), here are the results of touching a file as a user, as root and as
>> a user sudoing to root:
>> On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from
>> updates), here are the results of the same actions:
>
> Maybe check the release notes...
> http://www.sudo.ws/sudo/stable.html
> A quick look got:
> "A new Defaults option "umask_override" will cause sudo to set
> the umask specified in sudoers even if it is more permissive than
> the invoking user's umask. "
>
> JD
Ok, I missed that last bullet on changes from 1.7.0 to 1.7.1. However,
on both servers, there is no umask_override line in the /etc/sudoers
file and if I run "sudo -V" as root and grep for umask, I get the same
output on both versions:
# sudo -V | grep -i umask
Umask to use or 0777 to use user's: 022
So that would seem to me that it ought to have been using a umask of 022
resulting in test files with 644 permissions.
These sections from the sudoers man page on the each version seems to
explain the difference:
1.6.9 man page:
umask Umask to use when running the command. Negate this
option or set it to 0777 to preserve the userâs
umask. The default is 0022.
1.7.2 man page:
umask_override If set, sudo will set the umask as specified by
sudoers without modification. This makes it
possible to specify a more permissive umask in
sudoers than the userâs own umask and matches
historical behavior. If umask_override is not set,
sudo will set the umask to be the union of the
userâs umask and what is specified in sudoers. This
flag is off by default.
umask Umask to use when running the command. Negate this
option or set it to 0777 to preserve the userâs
umask. The actual umask that is used will be the
union of the userâs umask and 0022. This guarantees
that sudo never lowers the umask when running a
command. Note on systems that use PAM, the default
PAM configuration may specify its own umask which
will override the value set in sudoers.
If I add "Defaults umask_override" in /etc/sudoers on the system with
sudo 1.7.2, then the umask behavior I was expecting occurs -- "sudo
touch file" results in a file with 644 perms (based on root's umask).
Since the sudo 1.6.9 systems don't like seeing that line in their config
file, I either need to get all the systems upgraded to 1.7.2 or modify
Puppet to push different versions of the /etc/sudoers depending on what
version of sudo is installed.
Thanks for the responses.
David Goldsmith
More information about the CentOS
mailing list