Date: Sun, 9 Sep 2001 05:27:26 +0200 (CEST) From: Dimitry Andric <dim@xs4all.nl> To: FreeBSD-gnats-submit@freebsd.org Cc: "Todd C.Miller" <todd.miller@courtesan.com> Subject: ports/30450: sudo port installs default sudoers file with incorrect mode 0444 Message-ID: <20010909032726.8D9743C253@tensor.xs4all.nl>
next in thread | raw e-mail | index | archive | help
>Number: 30450 >Category: ports >Synopsis: sudo port installs default sudoers file with incorrect mode 0444 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat Sep 08 20:30:01 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Dimitry Andric >Release: FreeBSD 4.4-RC i386 >Organization: None >Environment: System: FreeBSD tensor.xs4all.nl 4.4-RC FreeBSD 4.4-RC #0: Sat Sep 8 21:05:41 CEST 2001 root@tensor.xs4all.nl:/usr/obj/usr/src/sys/TENSOR i386 >Description: If there isn't any /usr/local/etc/sudoers file yet, the sudo port will use the following line from pkg-install to install a default file: cp -p ${PKG_PREFIX}/etc/sudoers.sample ${PKG_PREFIX}/etc/sudoers thus copying the mode of the sudoers.sample file to sudoers. However, the sudoers.sample file is installed with mode 0444 by default, which is not the correct mode for the sudoers file itself. This causes sudo to complain on its first run with: sudo: /usr/local/etc/sudoers is mode 0444, should be 0440 There are 2 ways to fix the incorrect mode: either install the sudoers.sample file with mode 0440 and keep the 'cp -p', or replace the 'cp -p' with, for instance, 'install -m 0440'. IMO there's nothing wrong with a world-readable sample file, you can download it anyway. :) So I chose the second solution; a patch follows. >How-To-Repeat: Uninstall sudo port. Move any existing sudoers file out of the way. Install sudo port. Run sudo (with or without arguments). Sudo will now complain about a bad mode 0444 for the sudoers file. >Fix: I used the ${INSTALL_DATA} command from /usr/ports/Mk/bsd.port.mk, but replaced the -m ${SHAREMODE} argument with a hardcoded mode. I'm unsure if this is the proper way, please correct me if it isn't. --- security/sudo/pkg-install.orig Fri Jul 19 23:00:42 1996 +++ security/sudo/pkg-install Sun Sep 9 05:01:47 2001 @@ -5,5 +5,5 @@ if [ -e ${PKG_PREFIX}/etc/sudoers ]; then echo "Will not overwrite existing ${PKG_PREFIX}/etc/sudoers file." else - cp -p ${PKG_PREFIX}/etc/sudoers.sample ${PKG_PREFIX}/etc/sudoers + ${INSTALL} ${COPY} -o ${SHAREOWN} -g ${SHAREGRP} -m 0440 ${PKG_PREFIX}/etc/sudoers.sample ${PKG_PREFIX}/etc/sudoers fi >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010909032726.8D9743C253>