On 10/8/2010 4:42 AM, John Doe wrote: > From: David Goldsmith <dgoldsmith at sans.org> > >> On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from >> base), here are the results of touching a file as a user, as root and as >> a user sudoing to root: >> On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from >> updates), here are the results of the same actions: > > Maybe check the release notes... > http://www.sudo.ws/sudo/stable.html > A quick look got: > "A new Defaults option "umask_override" will cause sudo to set > the umask specified in sudoers even if it is more permissive than > the invoking user's umask. " > > JD Ok, I missed that last bullet on changes from 1.7.0 to 1.7.1. However, on both servers, there is no umask_override line in the /etc/sudoers file and if I run "sudo -V" as root and grep for umask, I get the same output on both versions: # sudo -V | grep -i umask Umask to use or 0777 to use user's: 022 So that would seem to me that it ought to have been using a umask of 022 resulting in test files with 644 permissions. These sections from the sudoers man page on the each version seems to explain the difference: 1.6.9 man page: umask Umask to use when running the command. Negate this option or set it to 0777 to preserve the userâs umask. The default is 0022. 1.7.2 man page: umask_override If set, sudo will set the umask as specified by sudoers without modification. This makes it possible to specify a more permissive umask in sudoers than the userâs own umask and matches historical behavior. If umask_override is not set, sudo will set the umask to be the union of the userâs umask and what is specified in sudoers. This flag is off by default. umask Umask to use when running the command. Negate this option or set it to 0777 to preserve the userâs umask. The actual umask that is used will be the union of the userâs umask and 0022. This guarantees that sudo never lowers the umask when running a command. Note on systems that use PAM, the default PAM configuration may specify its own umask which will override the value set in sudoers. If I add "Defaults umask_override" in /etc/sudoers on the system with sudo 1.7.2, then the umask behavior I was expecting occurs -- "sudo touch file" results in a file with 644 perms (based on root's umask). Since the sudo 1.6.9 systems don't like seeing that line in their config file, I either need to get all the systems upgraded to 1.7.2 or modify Puppet to push different versions of the /etc/sudoers depending on what version of sudo is installed. Thanks for the responses. David Goldsmith