Summary: | app-admin/sudo-1.8.5 doesn't read sudoers.d/ dir | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Marcin Mirosław <bug> |
Component: | [OLD] Core system | Assignee: | Gentoo's Team for Core System packages <base-system> |
Status: | RESOLVED FIXED | ||
Severity: | critical | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.sudo.ws/pipermail/sudo-workers/2012-May/000751.html | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 416281 |
Description
Marcin Mirosław
2012-05-17 11:32:27 UTC
Can you check that the permissions on the files are good? They should be 0400 as otherwise it seems to ignore them, like it would do for sudoers itself. I'm using sudoers.d locally and it seems to work just fine. I tried on x86 and on amd64, results are still the same. About permissions: # LANG=en_US ls -lah /etc/sudoers.d/ total 12K dr-x------ 2 root root 4.0K May 17 13:16 . drwxr-xr-x 76 root root 4.0K May 17 17:54 .. -r-------- 1 root root 115 May 17 13:16 nrpe should be correct. What can i do more to debug this situation? I changed permission on /etc/sudoers.d to 550, because 500 gives messages: sudo: unable to open /etc/sudoers.d/nrpe: Permission denied . But it doesn't change situation, i had 550 earlier. Try 440 to /etc/sudoers.d/nrpe. I revert to 440 and it nothing changed, sudo still ask for password. After downgrade to 1.8.3_p2 it works as i expect. you can see this: $ sudo su - # strace sudo it'll lstat /etc/sudoers.d/ but not parse anything in there Damn, it worked simply because I had both sudoers and sudoers.d with the same rule. Agreed this is getting bad. seems like a bug in the new sudo_secure_path() logic and interaction with _push_include() in toke.l on my system: toke.l:_push_include() switch (sudo_secure_dir(path, sudoers_uid, sudoers_gid, &sb)) { this returns SUDO_PATH_SECURE, but the switch statement doesn't have a case for that, so it hits the default: /* NOTREACHED */ debug_return_bool(false); i guess we need to handle this new state there Maybe fast stabilization should be stopped until fix will be available? Commit message: Fix parsing of #includedir directives http://sources.gentoo.org/app-admin/sudo/files/sudo-1.8.5-securedir.patch?rev=1.1 http://sources.gentoo.org/app-admin/sudo/sudo-1.8.5-r1.ebuild?rev=1.1 i've pounded through my fix as it seems to make it work for me again. however, the sanity checks don't seem to be run on files inside of /etc/sudoers.d/ like they used to, so i'll follow up upstream on this. I think that the behaviour is correct: * The user/group/mode checks on sudoers files have been relaxed. As long as the file is owned by the sudoers uid, not world-writable and not writable by a group other than the sudoers gid, the file is considered OK. Note that visudo will still set the mode to the value specified at configure time. so there is no warning to be expected by mode 0644. ok, thanks for reading the NEWS to me that i should have checked ;) # chmod 777 /etc/sudoers.d/f # sudo true sudo: /etc/sudoers.d/f is world writable also makes me feel better that we aren't releasing a buggy-in-a-different-way ebuild. so i think we should be all set here if the OP wants to test 1.8.5-r1. OP says it works for me;) thanks all! Thanks for quick fix. |