Bug 558 – Rule with wildcard in path takes forever due to stat

Bug 558 - Rule with wildcard in path takes forever due to stat


Summary:	Rule with wildcard in path takes forever due to stat

Status:	RESOLVED INVALID

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.7.2
Hardware:	Sun Solaris 2.x

Importance:	low high
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2012-06-06 22:54 MDT by jl_ewing
Modified:	2012-06-07 13:29 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description jl_ewing 2012-06-06 22:54:16 MDT

If I have rules, for example

jlewing ALL = NOPASSWD: /*/jlewing/cdpinfo.pl
jlewing ALL = NOPASSWD: /*/*/jlewing/cdpinfo.pl

due to a variation of home directories across a large number of systems (and I use the same rules across all for ease of administration) and I enter

sudo /home/jlewing/cdpinfo.pl

the command takes an immense amount of time to complete.  I have noticed that a stat is being done on all file systems and if one of those should hang then I am dead in the water.  The fact that I have specified the full path to the command, to me, should programitically match with the first entry without doing a stat on every file system other than the one specified.

Comment 1 Todd C. Miller 2012-06-07 13:29:53 MDT

If you are going to use patterns like that in sudoers you probably want to enable the fast_glob option which causes sudo to use the fnmatch() function instead of glob().

Sudo matches commands by inode, which is why you are seeing all those stats.  This is the only way to safely handle '!' rules and to consistently support things like "sudo ./command".