Date: Sun, 9 Sep 2001 05:27:26 +0200 (CEST) From: Dimitry Andric <dim@xs4all.nl> To: FreeBSD-gnats-submit@freebsd.org Cc: "Todd C.Miller" <todd.miller@courtesan.com> Subject: ports/30450: sudo port installs default sudoers file with incorrect mode 0444 Message-ID: <20010909032726.8D9743C253@tensor.xs4all.nl>
next in thread | raw e-mail | index | archive | help
>Number: 30450
>Category: ports
>Synopsis: sudo port installs default sudoers file with incorrect mode 0444
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Sep 08 20:30:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Dimitry Andric
>Release: FreeBSD 4.4-RC i386
>Organization:
None
>Environment:
System: FreeBSD tensor.xs4all.nl 4.4-RC FreeBSD 4.4-RC #0: Sat Sep 8 21:05:41 CEST 2001 root@tensor.xs4all.nl:/usr/obj/usr/src/sys/TENSOR i386
>Description:
If there isn't any /usr/local/etc/sudoers file yet, the sudo port
will use the following line from pkg-install to install a default
file:
cp -p ${PKG_PREFIX}/etc/sudoers.sample ${PKG_PREFIX}/etc/sudoers
thus copying the mode of the sudoers.sample file to sudoers. However,
the sudoers.sample file is installed with mode 0444 by default, which
is not the correct mode for the sudoers file itself.
This causes sudo to complain on its first run with:
sudo: /usr/local/etc/sudoers is mode 0444, should be 0440
There are 2 ways to fix the incorrect mode: either install the
sudoers.sample file with mode 0440 and keep the 'cp -p', or replace
the 'cp -p' with, for instance, 'install -m 0440'.
IMO there's nothing wrong with a world-readable sample file, you can
download it anyway. :) So I chose the second solution; a patch
follows.
>How-To-Repeat:
Uninstall sudo port.
Move any existing sudoers file out of the way.
Install sudo port.
Run sudo (with or without arguments).
Sudo will now complain about a bad mode 0444 for the sudoers file.
>Fix:
I used the ${INSTALL_DATA} command from /usr/ports/Mk/bsd.port.mk,
but replaced the -m ${SHAREMODE} argument with a hardcoded mode.
I'm unsure if this is the proper way, please correct me if it isn't.
--- security/sudo/pkg-install.orig Fri Jul 19 23:00:42 1996
+++ security/sudo/pkg-install Sun Sep 9 05:01:47 2001
@@ -5,5 +5,5 @@
if [ -e ${PKG_PREFIX}/etc/sudoers ]; then
echo "Will not overwrite existing ${PKG_PREFIX}/etc/sudoers file."
else
- cp -p ${PKG_PREFIX}/etc/sudoers.sample ${PKG_PREFIX}/etc/sudoers
+ ${INSTALL} ${COPY} -o ${SHAREOWN} -g ${SHAREGRP} -m 0440 ${PKG_PREFIX}/etc/sudoers.sample ${PKG_PREFIX}/etc/sudoers
fi
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010909032726.8D9743C253>