|
Bugzilla – Full Text Bug Listing |
| Summary: | excessive sudo completion time due to /etc/sudoers "*" entry resolution by statx() | ||
|---|---|---|---|
| Product: | Sudo | Reporter: | Les <lestnye> |
| Component: | Sudo | Assignee: | Todd C. Miller <Todd.Miller> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | lestnye |
| Priority: | low | ||
| Version: | 1.6.9 | ||
| Hardware: | IBM | ||
| OS: | AIX | ||
| Attachments: | avoid calling glob() when we know it can't match | ||
Since glob(), unlike fnmatch(), searched the file system, that does sound like it is the problem. I should be able to add a heuristic to avoid calling glob() unnecessarily. Created attachment 233 [details]
avoid calling glob() when we know it can't match
The following patch should avoid excessive glob() calls.
Change committed, will be part of 1.6.9p18 and 1.7.0rc3 |
Description. We upgraded from a successfully working sudo version 1.6.7 to 1.6.9p15. We did not change the /etc/sudoers file though we re-validated it with "visudo -c -f /etc/sudoers" with no errors found. After the upgrade, sudo commands started taking 10s of minutes to complete. Apparently sudo is trying to resolve all "*" wildcard entries in /etc/sudoers file with statx(). I got this from running "truss sudo touch /tmp/junk" on an AIX server. We also saw this in Solaris 10. Event: entered sudo touch /tmp/junk command completed 24 minutes later. Sample /etc/sudoers entry (we have multiple command alias entries using asterisks): Cmnd_Alias DB2_USER = /usr/opt/db2*/adm/db2start, \ /usr/opt/db2*/adm64/db2start, \ /usr/opt/db2*/adm/db2stop, \ /usr/opt/db2*/adm64/db2stop, \ /usr/opt/db2*/bin/db2, \ /usr/opt/db2*/bin64/db2, \ /usr/ldap/db2 Is there a way around this or do we have to strip out every asterisk and replace it with specific pathnames in the /etc/sudoers file? I suspect this was introduced with: 1.6.8p11: Bug fix 588) Use glob(3) instead of fnmatch(3) for matching pathnames and stat() each result that matches the basename of the user's command. This makes "cd /usr/bin ; sudo ./blah" work when sudoers allows /usr/bin/blah.