HPE Community
Operating System - HP-UX
1753500 Members
4433 Online
108794 Solutions
New Discussion юеВ

sudo umask 077

 
Mario Brand
Occasional Contributor

тАО02-12-2008 02:23 AM

тАО02-12-2008 02:23 AM

sudo umask 077

We have a 11.23 IA64 system and installed sudo. Sudo has the option to supply the umask sudo should use in the sudoers file. We specified umask=022. But it is ignored.
the command sudo umask always returns 077. We tried everything: newer versions of sudo (both from the HP IE CD as from the Porting Archive) and even recompiling sudo with the flag --with-umask=0022. NOthing helps. I even hacked the code at various places to get the right umask. We keep getting umask 077.
So what is going on? Any help is appreciated.

Thanks,
Mario Brand
0 Kudos
Reply
8 REPLIES 8
Marco A.
Esteemed Contributor

тАО02-12-2008 04:42 AM

тАО02-12-2008 04:42 AM

Re: sudo umask 077

Hello,


What are you trying to run with su ?, what you are seeing with the umask command is your environment mask that is set in the .profile file, if you want those changes to be reflected you need to change them in the profile file of the user/s that you want to su.

Try it and let us know!

Regards,


Marco
Just unplug and plug in again ....
0 Kudos
Reply
ABrown_1
New Member

тАО06-11-2008 05:05 PM

тАО06-11-2008 05:05 PM

Re: sudo umask 077

I have had a problem with the current 1.6.9p16 on HPUX 11.23. The same version on 11.11 works when you have Defaults: !umask set. On 11.23 it will not work with the same sudoers and the same version. Someone needs to report a bug to the maker. Unless someone here has a fix??
On 11.11 in sudoers : Defaults !umask
umask 022
sudo umask
(returns 022)

On 11.23 it always returns 077 as the umask with the same version.
0 Kudos
Reply
Philippe Delmee
Advisor

тАО08-14-2008 06:00 AM

тАО08-14-2008 06:00 AM

Re: sudo umask 077

I have the same problem on HPUX 11.31 with version 1.6.9p16.
We keep getting umask 077 (sudo -u toto umask always return 077) and this is a critical issue!

Thanks
JC
0 Kudos
Reply
Val Naipaul
Occasional Contributor

тАО08-25-2008 07:14 PM

тАО08-25-2008 07:14 PM

Re: sudo umask 077

We have the same problem, with 1.6.9p16 on PA 11.23, IA 11.23 and IA 11.31. This is the Internet Express suite build.

I've reopened bug 291 about this (which was originally opened for !umask not seeming to work, but I too am having no luck getting any sudoers umask setting to take effect): http://www.gratisoft.us/bugzilla/show_bug.cgi?id=291

Val
0 Kudos
Reply
Speedware
Frequent Advisor

тАО08-26-2008 12:20 PM

тАО08-26-2008 12:20 PM

Re: sudo umask 077

By the way I have problem as stated above. Here is the solution the sudo bug web site.

"This is due to PAM resetting the umask, not sudo (specifically the
pam_hpsec module). See the security(4) man page for more info. If you
are not able to configure PAM to preserve the umask, you can try
running configure with the --disable-pam-session flag which will
prevent sudo from running the PAM session code."

I want to know how do you the modify the PAM to preserve the umask ?
0 Kudos
Reply
Medavie
Valued Contributor

тАО09-24-2008 09:10 AM

тАО09-24-2008 09:10 AM

Re: sudo umask 077

The secret is in the pam.conf
pam_hpsec is overriding the umask. To make it work you need to modify the pam.conf file under the session section.
run command
sudo umask
0777

Modify line
#OTHER session required libpam_hpsec.so.1
to
OTHER session required libpam_hpsec.so.1 bypass_umask

then run command
sudo umask
02

Now for the fun part.... what exactly does this change mean.. I do not know. I'd suggest running in test for a while until your comfortable before implementing in prod.

Thanks

Ralph


0 Kudos
Reply
Medavie
Valued Contributor

тАО09-24-2008 11:30 AM

тАО09-24-2008 11:30 AM

Re: sudo umask 077

Actually after further testing its best if you add to the sessions section of your pam.conf file
sudo session required libpam_hpsec.so.1 bypass_umask

That makes it specific for sudo and does not / nor will it screw up anything else that the OTHER field uses.

Hope this helps you

Ralph
0 Kudos
Reply
Val Naipaul
Occasional Contributor

тАО09-24-2008 03:34 PM

тАО09-24-2008 03:34 PM

Re: sudo umask 077

Adding "sudo session required libpam_hpsec.so.1 bypass_umask" to pam.conf worked - now I'm seeing the umask settings in sudoers taking effect.

Thanks very much Ralph!

Val
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.