Bug#504580: sudo: Commands in PATH /usr/sbin, /sbin not found
Hi, On Tue, Nov 18, 2008 at 06:32:17PM +0100, Kai Weber wrote: I tried to run sudo in gdb and step through the code, but I failed. Maybe you have a tip? I stepped a bit through the code today and what I can get is that the message (not found) comes from sudo. The problem seems to be that in sudo.c around the lines 621 - 625 when calling find_path the path is still set to the invokers path and not to the secure path that is inserted into the environment with which the program would be run. I'm not yet so far to see: a) why this happens b) under which conditions However I just remembered a workaround for you, as long as we don't know the exact reason. You could configure an alias in /etc/profile: alias sudo='PATH=$PATH:/sbin:/usr/sbin sudo' I know that this is kind of ugly, but it works around the problem for now: [EMAIL PROTECTED]:~$ alias sudo='PATH=$PATH:/sbin:/usr/sbin sudo' [EMAIL PROTECTED]:~$ sudo invoke-rc.d invoke-rc.d: syntax error: missing required parameter, --help assumed From what I currently can tell this indeed seems to be a bug. However I'm uncertain how this is triggered, given that it seems to work in certain situations. I'm also not sure if this deserves more work then what we've already tried, because their is an easy workaround and it is fixed in lenny anyway. Regards, Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504580: sudo: Commands in PATH /usr/sbin, /sbin not found
Hi Kai, On Tue, Nov 18, 2008 at 06:32:17PM +0100, Kai Weber wrote: It's exactly the same configuration. I again ask you: Really? Is it really that the group you configured in sudoers is in fact the group sudo? Or could it be that you use another group instead of sudo? I'm asking because I just figured that the problem seems to be related to the sudo group. If the user is not a member of the sudo group (which seems to have some special not documented meaning...) but lets say the adm group and the entry in sudoers is %adm ALL=(ALL) ALL everything is okay. This is reproducible for me, so I guess you in fact have different group memberships on the system where it works? Best Regards, Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504580: sudo: Commands in PATH /usr/sbin, /sbin not found
Hi, hopefully this will be my last email for today :-) On Wed, Nov 19, 2008 at 01:39:00PM +0100, Patrick Schoenfeld wrote: I'm asking because I just figured that the problem seems to be related to the sudo group. If the user is not a member of the sudo group (which seems to have some special not documented meaning...) but lets say the adm group and the entry in sudoers is %adm ALL=(ALL) ALL Well, that seems to be fact. I just found out that sudo is compiled with the --with-exempt-group option set to sudo. This enables members of the group sudo to use sudo without entering a password. Not that I see a sense in this, because NOPASSWD exists, but it has a not so nice side-effect: The secure_path is not set on users in this group. This seems to be wanted behaviour, given that the CHANGES file states: 393) Users in the 'exempt' group shouldn't get their $PATH overridden by 'secure-path'. Patch from [EMAIL PROTECTED] What I still do not understand is that this wasn't changed (at least according to the CHANGES file) since then, but the side-effect does not exist in the Lenny version. However, I did not diff the old and the new code to verify that this code path hasn't changed since then, so it is possible that upstream decided to change this without documenting it. So to fix the problem for you: - Move users which are in the group sudo to the group adm (or another group of your choice) - Change your sudoers configuration to use %adm instead of %sudo - If you don't want that users need to enter their password add the NOPASSWD flag to the configuration Or wait until Lenny is released ;-) Best Regards, Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504580: sudo: Commands in PATH /usr/sbin, /sbin not found
... this indeed fixes the bug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504580: sudo: Commands in PATH /usr/sbin, /sbin not found
This is reproducible for me, so I guess you in fact have different group memberships on the system where it works? I never thought that %adm ALL=(ALL) ALL and %sudo ALL=(ALL) ALL are THAT much different. But you are right. This is the cause of the bug. Regards, Kai -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504580: sudo: Commands in PATH /usr/sbin, /sbin not found
On Wed, Nov 19, 2008 at 04:12:27PM +0100, Kai Weber wrote: ... this indeed fixes the bug. Great. :-) I guess its _still_ a bug in Etch. But I think it does need no solving, because its easy fixable by a simple reconfiguration. Luckily we have this bug report open for documentation, if other people should hit into this trouble. Best Regards, Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504580: sudo: Commands in PATH /usr/sbin, /sbin not found
Hi Kai, On Fri, Nov 14, 2008 at 05:06:01PM +0100, Kai Weber wrote: So I guess your problem is different and I wonder weither you have special options in your sudoers file. Can you attach it? I think that the defaults would be especially interesting. My settings are Debian standard settings: Defaultsenv_reset rootALL=(ALL) ALL %sudo ALL=(ALL) ALL Indeed. After reading your mail I tried to reproduce the bug and were able to do so, but unfortunately I still don't know why this happens. The strange part is: this is not my first Debian machine. All other (Etch) machines work well with exactly these settings and exactly the same version of sudo. Can you please confirm this? On a system where it works, do you really have the exact same configuration wtr to sudo? I'm out of options, too, so lets try more absurd things.. what shell does the user have, whose trying to run invoke-rc.d? What shell does root have? Regards, Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504580: sudo: Commands in PATH /usr/sbin, /sbin not found
Can you please confirm this? On a system where it works, do you really have the exact same configuration wtr to sudo? It's exactly the same configuration. I'm out of options, too, so lets try more absurd things.. what shell does the user have, whose trying to run invoke-rc.d? What shell does root have? We all have /bin/bash. I tried to run sudo in gdb and step through the code, but I failed. Maybe you have a tip? Kai -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504580: sudo: Commands in PATH /usr/sbin, /sbin not found
Tags 504580 +unreproducible thanks Hi, I tried to reproduce your bug [1] with the current version of sudo and the version you used back when your reported the bug. Unfortunately I was unable to do so. Could you report weither you still face this problem? Because if you don't face this problem anymore the bug could be closed. Best Regards, Patrick [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504580 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504580: sudo: Commands in PATH /usr/sbin, /sbin not found
Since opening the bug, no new version of sudo for stable/etch was released. So I am still seeing this problem with sudo version 1.6.8p12-4. Maybe, you have an idea what I could try to debug the problem. Regards, Kai -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504580: sudo: Commands in PATH /usr/sbin, /sbin not found
Hi, On Fri, Nov 14, 2008 at 12:20:04PM +0100, Kai Weber wrote: Since opening the bug, no new version of sudo for stable/etch was released. So I am still seeing this problem with sudo version 1.6.8p12-4. I didn't mean that it would be fixed by a new version in Etch (which is quiet unlikely given that we do not provide new versions in stable releases, but security fixes only) but it could be fixed in the next release of Debian. So you could test it with a new version from testing, for example. Unfortunately you'd need to rebuild this to be able to install it in Etch. If you are not able to do so, feel free to drop me a line and I'll prepare a package to be installed/unpacked in Etch so you can test it. Regards, Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504580: sudo: Commands in PATH /usr/sbin, /sbin not found
I didn't mean that it would be fixed by a new version in Etch (which is quiet unlikely given that we do not provide new versions in stable releases, but security fixes only) but it could be fixed in the next release of Debian. The current focus is on releasing Lenny, I understand. But in my opinion the bug I reported is a major one and we should try to fix it for Etch, too. Upgrade to Lenny is not an option because Etch is the stable and supported version. So you could test it with a new version from testing, for example. Unfortunately you'd need to rebuild this to be able to install it in Etch. I built the version from testing (1.6.9p17-1). That version works. Regards, Kai -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504580: sudo: Commands in PATH /usr/sbin, /sbin not found
Hi, On Fri, Nov 14, 2008 at 04:00:46PM +0100, Kai Weber wrote: I didn't mean that it would be fixed by a new version in Etch (which is quiet unlikely given that we do not provide new versions in stable releases, but security fixes only) but it could be fixed in the next release of Debian. The current focus is on releasing Lenny, I understand. But in my opinion the bug I reported is a major one and we should try to fix it for Etch, too. Upgrade to Lenny is not an option because Etch is the stable and supported version. BTW. I didn't want to say that you shall upgrade to Lenny. well, I disagree that this is major isse. While I agree that it is *very* annoying it is neither a security issue, nor does it render sudo unusable. As a consequence it won't qualify for a stable update. But its not helpful for you, if I tell you that, so lets see if we can solve this issue. I just remembered that I had a similar problem with a non-Debian system a while ago. Back then I found out that Fedora does not use the --with-secure-path compile time option which caused the issue for Fedora, while Debian didn't have the issue. Now according to the Debian changelog the option was added in version 1.6.3p6-1 of the package and never removed. I can confirm this by reading the debian/rules file in the source package. So I guess your problem is different and I wonder weither you have special options in your sudoers file. Can you attach it? I think that the defaults would be especially interesting. Best Regards, Patrick -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#504580: sudo: Commands in PATH /usr/sbin, /sbin not found
So I guess your problem is different and I wonder weither you have special options in your sudoers file. Can you attach it? I think that the defaults would be especially interesting. My settings are Debian standard settings: Defaultsenv_reset rootALL=(ALL) ALL %sudo ALL=(ALL) ALL The strange part is: this is not my first Debian machine. All other (Etch) machines work well with exactly these settings and exactly the same version of sudo. I am out of options because I cannot see a difference in my setups, so I filed the bug report. Thanks for your help, Kai
Bug#504580: sudo: Commands in PATH /usr/sbin, /sbin not found
Package: sudo Version: 1.6.8p12-4 Severity: normal I can not invoke commands in /usr/sbin, /sbin anymore. I have not found any difference in my setup to other machines I have. I disabled all .bashrc/.profile/... files to check if some configuration in there is doing harm. I tried to strace with this command: sudo strace -o out.trace sudo invoke-rc.d but with this command I cannot reproduce the behavior. See below. [EMAIL PROTECTED]:~$ sudo invoke-rc.d sudo: invoke-rc.d: command not found The funny thing is: [EMAIL PROTECTED]:~$ sudo which invoke-rc.d /usr/sbin/invoke-rc.d [EMAIL PROTECTED]:~$ sudo sudo invoke-rc.d invoke-rc.d: syntax error: missing required parameter, --help assumed invoke-rc.d, Debian/SysVinit (/etc/rc?.d) initscript subsystem. Copyright (c) 2000,2001 Henrique de Moraes Holschuh [EMAIL PROTECTED] ... This is the environment [EMAIL PROTECTED]:~$ sudo env TERM=linux PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin LANG=en_US.UTF-8 HOME=/home/kai SHELL=/bin/bash LOGNAME=root USER=root SUDO_COMMAND=/usr/bin/env SUDO_USER=kai SUDO_UID=1002 SUDO_GID=1002 [EMAIL PROTECTED]:~$ sudo -l User kai may run the following commands on this host: (ALL) ALL I can provide more information if needed. Regards, Kai Weber -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-686 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages sudo depends on: ii libc6 2.3.6.ds1-13etch7 GNU C Library: Shared libraries ii libpam-modules 0.79-5Pluggable Authentication Modules f ii libpam0g 0.79-5Pluggable Authentication Modules l sudo recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]