[CentOS] sudo 1.6.9 versus sudo 1.7.2 behavioral differences with umask settings

Fri Oct 8 01:25:42 UTC 2010
Tom H <tomh0665 at gmail.com>

On Thu, Oct 7, 2010 at 7:20 PM, David Goldsmith <dgoldsmith at sans.org> wrote:
> Two servers, each have normal user umask values of 0077 and root umask
> values on 0022.
>
> On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from
> base), here are the results of touching a file as a user, as root and as
> a user sudoing to root:
>
> user: touch file        - result is 600
> root: touch file        - result is 644
> user: sudo touch file   - result is 644
>
> On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from
> updates), here are the results of the same actions:
>
> user: touch file        - result is 600
> root: touch file        - result is 644
> user: sudo touch file   - result is 600         ** this differs **
>
> On the second system, if I downgrade sudo to the base version, it
> behaves the same as on the first server, so this appears to be sudo
> version specific rather than an i386 vs x86-64 difference.
>
> Looking at the changelogs at the package home site, I don't see anything
> obvious that covers this change:
>
> http://www.courtesan.com/sudo/stable.html#1.7.0
> http://www.courtesan.com/sudo/stable.html#1.7.1
> http://www.courtesan.com/sudo/stable.html#1.7.2
>
> Does anyone know how to change the behavior with the umask values when
> using the newer version of sudo?
>
> This is causing us some issues when sudoing to update an SVN working
> directory used by our Puppet server.

Check for a "umask" variable/line in the two installs' /etc/sudoers file.