The exempt_group option in sudo does not work on Red Hat Enterprise Linux
Environment
Red Hat Enterprise Linux (RHEL) 5
Red Hat Enterprise Linux (RHEL) 6
sudo-1.7.4p5-11.el6.x86_64
sudo-1.7.2p1-5.el5
Issue
The exempt_group option is not working correctly for sudo-1.7.4p5-13.el6_3.
For following configuration in /etc/sudoers
User_Alias EXEMPTUSER = exempt
Defaults exempt_group = EXEMPTUSER
Defaults env_reset
Defaults env_keep += "PATH"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/opt/bin
exempt ALL = NOPASSWD: /tmp/test.sh
sudo is expected to keep PATH environment variable for user exempt, member of exempt_group.
Currently the PATH variable is not preserved but replaced with secure_path defined in sudoers.
Resolution
Choose or create system group you want to grant the exempt_group Defaults and ensure user exempt is member of that group:
# id -Gn exempt
exempt
Remove
User_Alias EXEMPTUSER = exempt
line and change line
Defaults exempt_group = EXEMPTUSER
to
Defaults exempt_group = exempt
in sudoers.
Root Cause
The exempt_group Defaults option expects system group to be specified, not User_Alias alias defined in /etc/sudoers.
Diagnostic Steps
Steps to reproduce the issue:
-
Configure
/etc/sudoersaccording to reported issue. -
Create executable script
/tmp/test.shcontaining:echo $PATH -
Check PATH when logged as
root:# echo $PATH /usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin -
Check PATH when logged as
exempt(in system groupexempt):$ echo $PATH /usr/lib64/qt-3.3/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/exempt/bin -
check the output of
sudo /tmp/test.shwhen logged asexempt:$ sudo /tmp/test.sh /sbin:/bin:/usr/sbin:/usr/bin:/opt/bin
Expected echoed path (due to the exempt_group Defaults option) is:
/usr/lib64/qt-3.3/bin:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin:/home/exempt/bin
The sudoers manual page says following on exempt_group and User_Alias:
There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias.
...
User_Alias ::= NAME '=' User_List
...
exempt_group
Users in this group are exempt from password and PATH requirements. This is not set by default.
...
secure_path
Path used for every command run from sudo. If you don’t trust the people running sudo to have a sane
PATH environment variable you may want to use this. Another use is if you want to have the "root path"
be separate from the "user path." Users in the group specified by the exempt_group option are not
affected by secure_path. This option is not set by default.
Therefore Defaults exempt_group should be set to system group, not the User_Alias.
Repeat the reproducer with
Defaults exempt_group = exempt
in sudoers.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments