Bug 626

Summary: sudo /bin/ls failes on directories where root does not have permissions and NOEXEC is set
Product: Sudo Reporter: Svein Olav Bjerkeset <sudo-bug>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.8.7   
Hardware: Sun   
OS: Solaris 2.x   
Attachments: Workaround for solaris noexec problem

Description Svein Olav Bjerkeset 2013-12-02 08:34:47 MST 
As far as I have been able to verify, this problem exists from version 1.8.1p2 onwards. Versions 1.8.0 and 1.7.10p6 does not seem to have this problem.

Here is the sudoRole object:
sudoCommand: /usr/bin/ls
sudoOption: !authenticate
sudoOption: !lecture
sudoOption: noexec
sudoUser: <myusername>
objectClass: sudoRole
objectClass: top
sudoHost: ALL

To reproduce the problem:
# mkdir /tmp/a /tmp/b
# chmod 700 /tmp/a /tmp/b
# chown root:root /tmp/a
# chown bin:bin /tmp/b

On directory /tmp/a, which is owned by root, there is no problem:
$ sudo /usr/bin/ls -l /tmp/a
total 0

But on /tmp/b which is owned by bin, I do not get access, even when I sudo to user root:
# sudo /usr/bin/ls -l /tmp/b
/tmp/b: Permission denied
total 16

If I remove the NOEXEC option, however, I can also access /tmp/b:
$ sudo /usr/bin/ls -l /tmp/b
total 0

I need the NOEXEC option, so removing it is only good for testing.
Comment 1 Todd C. Miller 2013-12-02 09:23:45 MST 
It looks like the PRIV_PROC_EXEC permission is disabling more than just execution of subcommands and is affecting DAC file permissions too.

As a workaround you should be able to edit config.h and comment out the line:

#define HAVE_PRIV_SET 1

and rebuild sudo.
Comment 2 Todd C. Miller 2013-12-02 10:36:54 MST 
Created attachment 389 [details]
Workaround for solaris noexec problem

I'm not sure why this would be required but the attached patch seems to work around the issue.
Comment 3 Svein Olav Bjerkeset 2013-12-03 01:19:21 MST 
I have tried the supplied patch, and can comfirm that it worked.
Comment 4 Todd C. Miller 2014-01-08 14:32:51 MST 
Sudo 1.8.9 is now out and contains the workaround.