[CentOS] sudo 1.6.9 versus sudo 1.7.2 behavioral differences with umask settings

Fri Oct 8 03:35:23 UTC 2010
David Goldsmith <dgoldsmith at sans.org>

On 10/7/2010 9:59 PM, Tom H wrote:
> On Thu, Oct 7, 2010 at 9:48 PM, David Goldsmith <dgoldsmith at sans.org> wrote:
>> On 10/7/2010 9:25 PM, Tom H wrote:
>>> On Thu, Oct 7, 2010 at 7:20 PM, David Goldsmith <dgoldsmith at sans.org> wrote:
>>>> Two servers, each have normal user umask values of 0077 and root umask
>>>> values on 0022.
>>>>
>>>> On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from
>>>> base), here are the results of touching a file as a user, as root and as
>>>> a user sudoing to root:
>>>>
>>>> user: touch file        - result is 600
>>>> root: touch file        - result is 644
>>>> user: sudo touch file   - result is 644
>>>>
>>>> On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from
>>>> updates), here are the results of the same actions:
>>>>
>>>> user: touch file        - result is 600
>>>> root: touch file        - result is 644
>>>> user: sudo touch file   - result is 600         ** this differs **
>>>>
>>>> On the second system, if I downgrade sudo to the base version, it
>>>> behaves the same as on the first server, so this appears to be sudo
>>>> version specific rather than an i386 vs x86-64 difference.
>>>>
>>>> Looking at the changelogs at the package home site, I don't see anything
>>>> obvious that covers this change:
>>>>
>>>> http://www.courtesan.com/sudo/stable.html#1.7.0
>>>> http://www.courtesan.com/sudo/stable.html#1.7.1
>>>> http://www.courtesan.com/sudo/stable.html#1.7.2
>>>>
>>>> Does anyone know how to change the behavior with the umask values when
>>>> using the newer version of sudo?
>>>>
>>>> This is causing us some issues when sudoing to update an SVN working
>>>> directory used by our Puppet server.
>>>
>>> Check for a "umask" variable/line in the two installs' /etc/sudoers file.
>>
>> "grep -i mask /etc/sudoers" on both servers gets no hits.
> 
> Any differences in the env_keep, env_delete, env_check settings (if
> they are used) in sudoers?


Both servers have the same defaults settings:

# Defaults specification
Defaults    log_year, logfile=/var/log/sudo.log
Defaults    loglinelen=0
Defaults    env_reset
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME
LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE
LINGUAS \
                        _XKB_CHARSET XAUTHORITY"


David Goldsmith