After upgrading from 1.8.3_p2 to 1.8.5 meseems files from /etc/sudoers.d/ are silently ignored. With older version # cat /etc/sudoers.d/nrpe nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/ nagios ALL=(ALL) NOPASSWD: /usr/local/sbin/check_hddtemp.sh * this works, nrpe could run scripts with root privileges. After upgrade /usr/bin/sudo /usr/lib/nagios/plugins/check_mailq ask for password. if i put line "nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/" into /etc/sudoers then user nagios can run plugins without entering password. Reproducible: Always Portage 2.2.0_alpha107 (hardened/linux/x86, gcc-4.5.3, glibc-2.14.1-r3, 3.2.11-hardened i686) ================================================================= System uname: Linux-3.2.11-hardened-i686-Intel-R-_Celeron-R-_CPU_2.40GHz-with-gentoo-2.0.3 Timestamp of tree: Thu, 17 May 2012 09:15:01 +0000 distcc 3.1 i686-pc-linux-gnu [disabled] ccache version 3.1.7 [enabled] app-shells/bash: 4.2_p20 dev-lang/python: 2.7.2-r3, 3.2.3 dev-util/ccache: 3.1.7 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.0.3 sys-apps/openrc: 0.9.8.4 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.68 sys-devel/automake: 1.11.1 sys-devel/binutils: 2.21.1-r1 sys-devel/gcc: 4.4.5, 4.5.3-r2 sys-devel/gcc-config: 1.5-r2 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r1 sys-kernel/linux-headers: 3.1 (virtual/os-headers) sys-libs/glibc: 2.14.1-r3 Repositories: gentoo Installed sets: ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=native -mfpmath=sse -pipe -s" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /usr/share/openvpn/easy-rsa /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=native -mfpmath=sse -pipe -s" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS=" --quiet-build=n" FEATURES="Xkeepwork Xsplitdebug assume-digests binpkg-logs ccache collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch parse-eapi-ebuild-head preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch xattr" FFLAGS="" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="pl_PL.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="pl en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_EXTRA_OPTS="--compress-level=0 -O" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage/local /usr/local/portage/miro/portage /usr/local/portage/miro/staging" SYNC="rsync://192.168.2.6/gentoo-portage" USE="acl acpi activefilter apache2 async automount bash-completion bzip2 caps chroot clamav clamd clamdtop cli crypt ctype cxx dsn erandom exiscan-acl gif gocr graphite hardened iconv idn imap iproute2 ipv6 jpeg json logrotate maildir memlimit mhash mime mmap mmx mmxext modules mouse mudflap ncurses network-cron nls nntp nptl ocrad openmp openssl pam pax_kernel pcre pic posix pppd readline recode session slang smp spell sse sse2 ssl suhosin svg syslog threads threadsafe tiff tools unicode urandom vhosts vim-pager vim-syntax x86 xattr xmlreader zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="alias auth_basic auth_digest authn_anon authn_default authn_file authz_default authz_groupfile authz_host autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers imagemap info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif so status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="worker" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="pl en" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" RUBY_TARGETS="ruby18" USERLAND="GNU" XTABLES_ADDONS="geoip tarpit" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, USE_PYTHON
Can you check that the permissions on the files are good? They should be 0400 as otherwise it seems to ignore them, like it would do for sudoers itself. I'm using sudoers.d locally and it seems to work just fine.
I tried on x86 and on amd64, results are still the same. About permissions: # LANG=en_US ls -lah /etc/sudoers.d/ total 12K dr-x------ 2 root root 4.0K May 17 13:16 . drwxr-xr-x 76 root root 4.0K May 17 17:54 .. -r-------- 1 root root 115 May 17 13:16 nrpe should be correct. What can i do more to debug this situation?
I changed permission on /etc/sudoers.d to 550, because 500 gives messages: sudo: unable to open /etc/sudoers.d/nrpe: Permission denied . But it doesn't change situation, i had 550 earlier.
Try 440 to /etc/sudoers.d/nrpe.
I revert to 440 and it nothing changed, sudo still ask for password. After downgrade to 1.8.3_p2 it works as i expect.
you can see this: $ sudo su - # strace sudo it'll lstat /etc/sudoers.d/ but not parse anything in there
Damn, it worked simply because I had both sudoers and sudoers.d with the same rule. Agreed this is getting bad.
seems like a bug in the new sudo_secure_path() logic and interaction with _push_include() in toke.l on my system: toke.l:_push_include() switch (sudo_secure_dir(path, sudoers_uid, sudoers_gid, &sb)) { this returns SUDO_PATH_SECURE, but the switch statement doesn't have a case for that, so it hits the default: /* NOTREACHED */ debug_return_bool(false); i guess we need to handle this new state there
Maybe fast stabilization should be stopped until fix will be available?
Commit message: Fix parsing of #includedir directives http://sources.gentoo.org/app-admin/sudo/files/sudo-1.8.5-securedir.patch?rev=1.1 http://sources.gentoo.org/app-admin/sudo/sudo-1.8.5-r1.ebuild?rev=1.1
i've pounded through my fix as it seems to make it work for me again. however, the sanity checks don't seem to be run on files inside of /etc/sudoers.d/ like they used to, so i'll follow up upstream on this.
I think that the behaviour is correct: * The user/group/mode checks on sudoers files have been relaxed. As long as the file is owned by the sudoers uid, not world-writable and not writable by a group other than the sudoers gid, the file is considered OK. Note that visudo will still set the mode to the value specified at configure time. so there is no warning to be expected by mode 0644.
ok, thanks for reading the NEWS to me that i should have checked ;) # chmod 777 /etc/sudoers.d/f # sudo true sudo: /etc/sudoers.d/f is world writable also makes me feel better that we aren't releasing a buggy-in-a-different-way ebuild. so i think we should be all set here if the OP wants to test 1.8.5-r1.
OP says it works for me;)
thanks all!
Thanks for quick fix.
