Bug 558

Summary: Rule with wildcard in path takes forever due to stat
Product: Sudo Reporter: jl_ewing
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED INVALID    
Severity: high    
Priority: low    
Version: 1.7.2   
Hardware: Sun   
OS: Solaris 2.x   

Description jl_ewing 2012-06-06 22:54:16 MDT 
If I have rules, for example

jlewing ALL = NOPASSWD: /*/jlewing/cdpinfo.pl
jlewing ALL = NOPASSWD: /*/*/jlewing/cdpinfo.pl

due to a variation of home directories across a large number of systems (and I use the same rules across all for ease of administration) and I enter

sudo /home/jlewing/cdpinfo.pl

the command takes an immense amount of time to complete.  I have noticed that a stat is being done on all file systems and if one of those should hang then I am dead in the water.  The fact that I have specified the full path to the command, to me, should programitically match with the first entry without doing a stat on every file system other than the one specified.
Comment 1 Todd C. Miller 2012-06-07 13:29:53 MDT 
If you are going to use patterns like that in sudoers you probably want to enable the fast_glob option which causes sudo to use the fnmatch() function instead of glob().

Sudo matches commands by inode, which is why you are seeing all those stats.  This is the only way to safely handle '!' rules and to consistently support things like "sudo ./command".