On Thu, Oct 7, 2010 at 11:35 PM, David Goldsmith <dgoldsmith at sans.org> wrote: > On 10/7/2010 9:59 PM, Tom H wrote: >> On Thu, Oct 7, 2010 at 9:48 PM, David Goldsmith <dgoldsmith at sans.org> wrote: >>> On 10/7/2010 9:25 PM, Tom H wrote: >>>> On Thu, Oct 7, 2010 at 7:20 PM, David Goldsmith <dgoldsmith at sans.org> wrote: >>>>> Two servers, each have normal user umask values of 0077 and root umask >>>>> values on 0022. >>>>> >>>>> On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from >>>>> base), here are the results of touching a file as a user, as root and as >>>>> a user sudoing to root: >>>>> >>>>> user: touch file - result is 600 >>>>> root: touch file - result is 644 >>>>> user: sudo touch file - result is 644 >>>>> >>>>> On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from >>>>> updates), here are the results of the same actions: >>>>> >>>>> user: touch file - result is 600 >>>>> root: touch file - result is 644 >>>>> user: sudo touch file - result is 600 ** this differs ** >>>>> >>>>> On the second system, if I downgrade sudo to the base version, it >>>>> behaves the same as on the first server, so this appears to be sudo >>>>> version specific rather than an i386 vs x86-64 difference. >>>>> >>>>> Looking at the changelogs at the package home site, I don't see anything >>>>> obvious that covers this change: >>>>> >>>>> http://www.courtesan.com/sudo/stable.html#1.7.0 >>>>> http://www.courtesan.com/sudo/stable.html#1.7.1 >>>>> http://www.courtesan.com/sudo/stable.html#1.7.2 >>>>> >>>>> Does anyone know how to change the behavior with the umask values when >>>>> using the newer version of sudo? >>>>> >>>>> This is causing us some issues when sudoing to update an SVN working >>>>> directory used by our Puppet server. >>>> >>>> Check for a "umask" variable/line in the two installs' /etc/sudoers file. >>> >>> "grep -i mask /etc/sudoers" on both servers gets no hits. >> >> Any differences in the env_keep, env_delete, env_check settings (if >> they are used) in sudoers? > > Both servers have the same defaults settings: > > # Defaults specification > Defaults log_year, logfile=/var/log/sudo.log > Defaults loglinelen=0 > Defaults env_reset > Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \ > LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \ > LANG LC_ADDRESS LC_CTYPE LC_COLLATE > LC_IDENTIFICATION \ > LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME > LC_NUMERIC \ > LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE > LINGUAS \ > _XKB_CHARSET XAUTHORITY" Sorry. The "Defaults" suggestion was silly given that there was no umask setting. I've looked through the man pages of 1.6.x and 1.7.x and the umask description is different: For 1.6.x, the default is 0022. For 1.7.x, the default is 0022 but "The actual umask that is used will be the union of the user's umask and 0022. This guarantees that sudo never lowers the umask when running a command."