[CentOS] sudo 1.6.9 versus sudo 1.7.2 behavioral differences with umask settings

Fri Oct 8 13:09:35 UTC 2010
David Goldsmith <dgoldsmith at sans.org>

On 10/8/2010 4:42 AM, John Doe wrote:
> From: David Goldsmith <dgoldsmith at sans.org>
> 
>> On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5  (from
>> base), here are the results of touching a file as a user, as root and  as
>> a user sudoing to root:
>> On the second server (CentOS  x86-64) running sudo 1.7.2p1-7 (from
>> updates), here are the results of the  same actions:
> 
> Maybe check the release notes...
> http://www.sudo.ws/sudo/stable.html
> A quick look got:
> "A new Defaults option "umask_override" will cause sudo to set 
> the umask specified in sudoers even if it is more permissive 	than 
> the invoking user's umask. "
> 
> JD

Ok, I missed that last bullet on changes from 1.7.0 to 1.7.1.  However,
on both servers, there is no umask_override line in the /etc/sudoers
file and if I run "sudo -V" as root and grep for umask, I get the same
output on both versions:

  # sudo -V | grep -i umask
  Umask to use or 0777 to use user's: 022

So that would seem to me that it ought to have been using a umask of 022
resulting in test files with 644 permissions.

These sections from the sudoers man page on the each version seems to
explain the difference:

1.6.9 man page:

       umask       Umask to use when running the command.  Negate this
		   option or set it to 0777 to preserve the userâs
		   umask.  The default is 0022.

1.7.2 man page:

   umask_override  If set, sudo will set the umask as specified by
		   sudoers without modification.  This makes it
		   possible to specify a more permissive umask in
 		   sudoers than the userâs own umask and matches
		   historical behavior.  If umask_override is not set,
		   sudo will set the umask to be the union of the
		   userâs umask and what is specified in sudoers.  This
                   flag is off by default.

       umask       Umask to use when running the command.  Negate this
		   option or set it to 0777 to preserve the userâs
		   umask.  The actual umask that is used will be the
		   union of the userâs umask and 0022.  This guarantees
		   that sudo never lowers the umask when running a
		   command.  Note on systems that use PAM, the default
		   PAM configuration may specify its own umask which
		   will override the value set in sudoers.

If I add "Defaults    umask_override" in /etc/sudoers on the system with
sudo 1.7.2, then the umask behavior I was expecting occurs -- "sudo
touch file" results in a file with 644 perms (based on root's umask).

Since the sudo 1.6.9 systems don't like seeing that line in their config
file, I either need to get all the systems upgraded to 1.7.2 or modify
Puppet to push different versions of the /etc/sudoers depending on what
version of sudo is installed.

Thanks for the responses.

David Goldsmith