Package: sudo Version: 1.6.9p17-2 0 Severity: important sudo is not behaving as expected for non-existing files/commands.
my /etc/sudoers file contains: > %business ALL=NOPASSWD: /tmp/nonexistent.sh i login as a user who belongs to group "business" > root:~# su - k000333 -s /bin/bash the file does not exist > k000333:~$ ls -al /tmp/nonexistent.sh > ls: cannot access /tmp/nonexistent.sh: No such file or directory i try to execute this file: > k000333:~$ sudo /tmp/nonexistent.sh > > We trust you have received the usual lecture from the local System > Administrator. It usually boils down to these three things: > > #1) Respect the privacy of others. > #2) Think before you type. > #3) With great power comes great responsibility. > > [sudo] password for k000333: *hitting ctrl+c* > sudo: pam_authenticate: Conversation error i now create this file: > k000333:~$ cp /bin/bash /tmp/nonexistent.sh > k000333:~$ ls -al /tmp/nonexistent.sh > -rwxr-xr-x 1 k000333 k000333 797784 2009-08-20 14:12 /tmp/nonexistent.sh i try to execute this file via sudo and it works > k000333:~$ sudo /tmp/nonexistent.sh > root:/data/k000333# id > uid=0(root) gid=0(root) groups=0(root) > root:/data/k000333# on contrary, if i execute a non-existing file as root, with /etc/sudoers > root ALL=(ALL) ALL i execute /tmp/nonexistent.sh > root@:/etc # sudo /tmp/nonexistent.sh > sudo: /tmp/nonexistent.sh: command not found in my opinion, the errors i receive should be identical, regardless of the user under which i issue the command. if this behavior is meant to be for protection, i do not see any benefits as i can simply test if the executable exists by using ls and/or executing this file without sudo. cheers, raoul -- ____________________________________________________________________ DI (FH) Raoul Bhatia M.Sc. email. [email protected] Technischer Leiter IPAX - Aloy Bhatia Hava OEG web. http://www.ipax.at Barawitzkagasse 10/2/2/11 email. [email protected] 1190 Wien tel. +43 1 3670030 FN 277995t HG Wien fax. +43 1 3670030 15 ____________________________________________________________________ -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
