Bug 291

Summary: !umask setting does not work on HPUX 11.23 only
Product: Sudo Reporter: Ashley Brown <ashley.brown>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED INVALID    
Severity: normal CC: vnaipaul
Priority: normal    
Version: 1.6.9   
Hardware: HP   
OS: HP-UX   

Description Ashley Brown 2008-06-11 21:31:51 MDT 
When using sudo 1.6.9p16 on hpux 11.23, the configuration setting: Defaults   !umask 
does not work.

The same setting and version on hpux 11.11 does work.

This is can be reproduced by typing sudo umask

on hpux 11.11 it returns the current umask of the user
on hpux 11.23 it always returns 077

can this please be fixed?

also documentation states that the !umask setting should be umask=0777 which is not correct.

Thank you,
Ashley Brown
Comment 1 Todd C. Miller 2008-06-12 08:26:10 MDT 
The line:

Defaults   !umask

in sudoers will prevent sudo from changing the umask.  However, something else (perhaps PAM) may be changing it.

What the documentation means is that if "umask 0777" is specified, sudo will not change the umask itself, which is equivalent to "!umask".

You can try running configure with the --disable-pam-session flag which will prevent sudo from using PAM's session support, which is probably where the umask change is coming from.  Alternately, you could investigate your PAM configuration and change the umask settings there.
Comment 2 Todd C. Miller 2008-06-20 14:31:54 MDT 
Sorry, that should be "sudo -i -H -u testuser"
Comment 3 Val Naipaul 2008-08-25 22:54:28 MDT 
I've just deployed sudo 1.6.9p16 across various HPUX systems, upgrading from sudo 1.6.8p4 on PARISC 11.23, and from sudo 1.6.8p12 on Itanium 11.23/11.31.  This sudo build is from HP's Internet Express suite.

It seems with 1.6.9p16 the umask setting in sudoers is ignored; files from the sudo'd command are being created under umask 077 regardless of the sudoers umask setting (eg !umask, umask=0022, umask=0777).

I only have the 'sudo -V' output from 1.6.8p12 to compare...PAM was then and is now being used as the Authentication method (below).

Could someone please take another look at this?

Thanks.

# sudo -V
Sudo version 1.6.8p12

Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: local2
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if the user is not in sudoers
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Log the hostname in the (non-syslog) log file
Allow some information gathering to give useful error messages
Require fully-qualified hostnames in the sudoers file
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5 minutes
Password prompt timeout: 5 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/run/sudo
Default password prompt: Password:
Default user to run commands as: root
Path to the editor for use by visudo: /usr/bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File containing dummy exec functions: /opt/iexpress/sudo/libexec/sudo_noexec.so
Environment variables to check for sanity:
        LANGUAGE
        LANG
        LC_*
Environment variables to remove:
        PERL5OPT
        PERL5LIB
        PERLLIB
        JAVA_TOOL_OPTIONS
        SHELLOPTS
        PS4
        BASH_ENV
        ENV
        TERMCAP
        TERMPATH
        TERMINFO_DIRS
        TERMINFO
        KRB5_CONFIG*
        SHLIB_PATH
        _RLD*
        LD_*
        PATH_LOCALE
        NLSPATH
        HOSTALIASES
        RES_OPTIONS
        LOCALDOMAIN
        CDPATH
        IFS
Local IP address and netmask pairs:

Now 'sudo -V' from my just installed 1.6.9p16:

# sudo -V
Sudo version 1.6.9p16

Sudoers path: /opt/iexpress/sudo/etc/sudoers
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: local2
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if the user is not in sudoers
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Log the hostname in the (non-syslog) log file
Allow some information gathering to give useful error messages
Require fully-qualified hostnames in the sudoers file
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5 minutes
Password prompt timeout: 5 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/run/sudo
Default password prompt: Password:
Default user to run commands as: root
Path to the editor for use by visudo: /usr/bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File containing dummy exec functions: /opt/iexpress/sudo/libexec/sudo_noexec.so
Reset the environment to a default set of variables
Environment variables to check for sanity:
        TERM
        LINGUAS
        LC_*
        LANGUAGE
        LANG
        COLORTERM
Environment variables to remove:
        RUBYOPT
        RUBYLIB
        PYTHONINSPECT
        PYTHONPATH
        PYTHONHOME
        TMPPREFIX
        ZDOTDIR
        READNULLCMD
        NULLCMD
        FPATH
        PERL5DB
        PERL5OPT
        PERL5LIB
        PERLLIB
        PERLIO_DEBUG
        JAVA_TOOL_OPTIONS
        SHELLOPTS
        GLOBIGNORE
        PS4
        BASH_ENV
        ENV
        TERMCAP
        TERMPATH
        TERMINFO_DIRS
        TERMINFO
        SHLIB_PATH
        _RLD*
        LD_*
        PATH_LOCALE
        NLSPATH
        HOSTALIASES
        RES_OPTIONS
        LOCALDOMAIN
        CDPATH
        IFS
Environment variables to preserve:
        XAUTHORIZATION
        XAUTHORITY
        TZ
        PS2
        PS1
        PATH
        MAIL
        LS_COLORS
        KRB5CCNAME
        HOSTNAME
        HOME
        DISPLAY
        COLORS
Local IP address and netmask pairs:
Comment 4 Todd C. Miller 2008-08-26 10:16:39 MDT 
This is due to PAM resetting the umask, not sudo (specifically the pam_hpsec module).  See the security(4) man page for more info.  If you are not able to configure PAM to preserve the umask, you can try running configure with the --disable-pam-session flag which will prevent sudo from running the PAM session code.
Comment 5 Val Naipaul 2008-09-24 20:11:13 MDT 
(In reply to comment #4)
> This is due to PAM resetting the umask, not sudo (specifically the
> pam_hpsec module).  See the security(4) man page for more info.  If you
> are not able to configure PAM to preserve the umask, you can try
> running configure with the --disable-pam-session flag which will
> prevent sudo from running the PAM session code.
> 

Indeed, one of the HP ITRC forum users suggested adding the following to pam.conf and it solved the problem:

"sudo   session required       libpam_hpsec.so.1 bypass_umask"

Thanks for the assistance