Security

Serious issue with sudo (A.16.00-1.7.4p4.001)

 
KathyL1
Valued Contributor

Serious issue with sudo (A.16.00-1.7.4p4.001)

The permissions on the directory /var/adm are changed from 755 to 700 each time a command is issued using sudo.

I have used sudo for many years and installed the latest version a few months ago and, even though this problem was introduced with this version, it has not caused any problems until recently.  However, a few weeks ago we needed to reinstall Oracle RAC on two servers in a Serviceguard cluster and this problem caused the installation to fail (ie, there were no cluster members listed in the OUI) even though cluvfy always succeeded (it only issued a few ignorable warnings).  The DBA and I spent two frustrating weeks trying to get oracle installed and for most of that time we believed the problem was oracle related.

 

It was not easy to identify the cause of the problem because lsnodes (the command used by the OUI to determine the cluster members) worked for root but not for oracle.  Fortunately tusc provided the information I needed -  lsnodes (when run by oracle) could not access /var/adm/cmcluster/.cmgmsd_local_socket.

 

I reset the permissions on /var/adm but a short time later discovered they had been changed to 700 again.  I knew it wasn't being changed by a cron job and it took me quite a while to work out why the permissions kept changing - I never would have suspected sudo!

 

Having discovered it was the culprit I looked on the sudo website (http://www.gratisoft.us/sudo/) for the changes that were introduced in 1.7.4:
Major changes between version 1.7.3 and 1.7.4
Time stamp files have moved from /var/run/sudo to either /var/db/sudo, /var/lib/sudo or /var/adm/sudo. The directories are checked for existence in that order. This prevents users from receiving the sudo lecture every time the system reboots. Time stamp files older than the boot time are ignored on systems where it is possible to determine this.

Based on the information above I created the directories /var/db and /var/lib to see if I could get sudo to create it's time stamp file in one of these directories and, therefore, leave /var/adm alone, but this didn't work (seems the HP-UX version isn't implemented this way).

I have reported this problem to the IEX Team and received the following reply:
We are looking into this issue and will get back to you shortly.
Meanwhile, we just want to make sure that, as mentioned in the link
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXIEXP1131
you are aware that,
----------------------------------------------------------------------------------------------------------------

HP-UX Internet Express Support

HP does not provide support for components listed in Table 1 that are delivered through HP-UX Internet Express either through Web download or through the HP-UX 11i media kits. However, you can notify the HP Internet Express team if you find defects. HP will report defects to the related open source communities and incorporate the appropriate fixes in each new release.

 

I have confirmed that this problem does not affect the previous version of sudo (A.15.00-1.7.2p6.001).

2 REPLIES 2
Steven E. Protter
Exalted Contributor

Re: Serious issue with sudo (A.16.00-1.7.4p4.001)

Shalom,

 

sudo is touchy. There are issues with it from time to time.

 

If this is a serious enough issue, you may wish to roll sudo back to a previous version.

 

We standardized on this:

sudo                  1.6.8p12       Sudo (superuser do) IA version 1.6.8p12

 

Because of the nature of the environment, we evaluated subsequent releases but found flaws and never upgraded. There has not been a serious enough issue with sudo to force an upgrade due to audit purposes.

 

Your current version is broken, IMO and I recommend a roll back.

 

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
KathyL1
Valued Contributor

Re: Serious issue with sudo (A.16.00-1.7.4p4.001)

I recommend a roll back.

When I discovered the problem I rolled to sudo A.15.00-1.7.2p6.001.

 

I posted this information to alert others to the problem.