Bug 770

Summary: symlink breaks $0
Product: Sudo Reporter: Axel Schmalowsky <schmalowsky>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal CC: schmalowsky
Priority: low    
Version: 1.8.16   
Hardware: PC   
OS: Linux   

Description Axel Schmalowsky 2017-01-13 01:36:39 MST 
Between version 1.8.15 and 1.8.16, calling sudo <symlink> breaks $0 of the calling process.

<script> is a symlink the examples below:
* 1.8.15: sudo <script> <args>
returns <script> in $0

* 1.8.16: sudo <script> <args>
returns 7 in $0 as the calling process

I'm guessing that 7 in this case is the fd pointing to <script>. So any number could be returned by $0.
Comment 1 Todd C. Miller 2017-01-13 09:38:03 MST 
Can you provide some more information like the linux distro and kernel version?  The only time sudo should be running a command by fd is when a SHA digest is specified for the command.  However, in that case I see $0 as /proc/self/fd/11 not just the bare fd number.  I get the path as expected when no SHA digest is specified in sudoers.  I did my testing on Ubuntu 16.04.1 LTS with Linux 4.4.0.
Comment 2 Todd C. Miller 2017-01-13 10:02:36 MST 
I'm going to assume you are not using SHA digests in sudoers since you would see an fd-based path regardless of whether the command was a symlink.

Linux's handling of symlink execution is a bit different from most Unix systems because it replaces argv[0] as passed to execve() with the actual pathname that is passed to the interpreter.  However, I'm not aware of changes between sudo 1.8.15 and 1.8.16 that would affect this.  Did you do your testing of 1.8.15 and 1.8.16 on the same system with the same kernel?
Comment 3 Axel Schmalowsky 2017-01-16 05:05:33 MST 
I'm using SHA digest in sudoers. In my script, I'm using {{basename $0}} that's why I'm only seeing an FD number.

Here's a sample output from a sample script:
<script>
#! /bin/zsh

echo "\$0: $0"
echo "\$@: $@"
</script

* 1.8.15
-bash-4.1$ sudo /tmp/sudo.symlink args
$0: /tmp/sudo.symlink
$@: args

* 1.8.16
-bash-4.1$ sudo /tmp/sudo.symlink args
$0: /proc/self/fd/7
$@: args


The system is a CentOS 6.8, kernel 2.6.32-642.3.1.el6.centos.plus.x86_64.
The first test was on a CentOS 6.6, kernel 3.19.3-1.el6.elrepo.x86_64.

The tests on both systems were done with both sudo 1.8.15 and 1.8.16.
Comment 4 Todd C. Miller 2017-01-16 09:57:03 MST 
While I can add an option to restore the 1.8.15 behavior (not executing by fd), note that this is less secure when the user running sudo has write permissions on the script being executed.  There is a race condition between the time the script is checksummed and the time when it actually is executed which is why exec by fd is used in this case.

Alternately, you could use the SUDO_COMMAND environment variable to get the path name that sudo executed.
Comment 5 Axel Schmalowsky 2017-01-17 23:22:13 MST 
Ok. Thank you for the explanation and help. I'm going to use SUDO_COMMAND instead of $0.
Comment 6 Todd C. Miller 2017-05-10 12:56:21 MDT 
In sudo 1.8.20 the sudoers manual documents the issues with exec-by-fd and scripts and provides a way to disable it.