David Goldsmith
2010-Oct-07 23:20 UTC
[CentOS] sudo 1.6.9 versus sudo 1.7.2 behavioral differences with umask settings
Two servers, each have normal user umask values of 0077 and root umask values on 0022. On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from base), here are the results of touching a file as a user, as root and as a user sudoing to root: user: touch file - result is 600 root: touch file - result is 644 user: sudo touch file - result is 644 On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from updates), here are the results of the same actions: user: touch file - result is 600 root: touch file - result is 644 user: sudo touch file - result is 600 ** this differs ** On the second system, if I downgrade sudo to the base version, it behaves the same as on the first server, so this appears to be sudo version specific rather than an i386 vs x86-64 difference. Looking at the changelogs at the package home site, I don't see anything obvious that covers this change: http://www.courtesan.com/sudo/stable.html#1.7.0 http://www.courtesan.com/sudo/stable.html#1.7.1 http://www.courtesan.com/sudo/stable.html#1.7.2 Does anyone know how to change the behavior with the umask values when using the newer version of sudo? This is causing us some issues when sudoing to update an SVN working directory used by our Puppet server. Thanks, David Goldsmith
Tom H
2010-Oct-08 01:25 UTC
[CentOS] sudo 1.6.9 versus sudo 1.7.2 behavioral differences with umask settings
On Thu, Oct 7, 2010 at 7:20 PM, David Goldsmith <dgoldsmith at sans.org> wrote:> Two servers, each have normal user umask values of 0077 and root umask > values on 0022. > > On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from > base), here are the results of touching a file as a user, as root and as > a user sudoing to root: > > user: touch file ? ? ? ?- result is 600 > root: touch file ? ? ? ?- result is 644 > user: sudo touch file ? - result is 644 > > On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from > updates), here are the results of the same actions: > > user: touch file ? ? ? ?- result is 600 > root: touch file ? ? ? ?- result is 644 > user: sudo touch file ? - result is 600 ? ? ? ? ** this differs ** > > On the second system, if I downgrade sudo to the base version, it > behaves the same as on the first server, so this appears to be sudo > version specific rather than an i386 vs x86-64 difference. > > Looking at the changelogs at the package home site, I don't see anything > obvious that covers this change: > > http://www.courtesan.com/sudo/stable.html#1.7.0 > http://www.courtesan.com/sudo/stable.html#1.7.1 > http://www.courtesan.com/sudo/stable.html#1.7.2 > > Does anyone know how to change the behavior with the umask values when > using the newer version of sudo? > > This is causing us some issues when sudoing to update an SVN working > directory used by our Puppet server.Check for a "umask" variable/line in the two installs' /etc/sudoers file.
John Doe
2010-Oct-08 08:42 UTC
[CentOS] sudo 1.6.9 versus sudo 1.7.2 behavioral differences with umask settings
From: David Goldsmith <dgoldsmith at sans.org>> On the first server (CentOS 5.4 i386) running sudo 1.6.9pl7-5 (from > base), here are the results of touching a file as a user, as root and as > a user sudoing to root: > On the second server (CentOS x86-64) running sudo 1.7.2p1-7 (from > updates), here are the results of the same actions:Maybe check the release notes... http://www.sudo.ws/sudo/stable.html A quick look got: "A new Defaults option "umask_override" will cause sudo to set the umask specified in sudoers even if it is more permissive than the invoking user's umask. " JD