Dear Team,
We are currently performing a security hardening exercise on our *RHEL 8.10
base environment*, where we have enabled *command digest validation* in the
sudoers configuration as per security and compliance requirements.
After enabling the *digest option*, we observed an unexpected behavior
across multiple *third-party ksh/bash scripts* that rely on $0 for
determining the script name or script path.
*Problem Description*
- Several scripts reference $0 to derive:
- Script name
- Script directory
- Relative paths for configuration/log files
- Once sudo digest is enabled, these scripts start misbehaving on lines
that use $0.
*Observed Behavior*
Instead of resolving to the actual script path or script name, $0 resolves
to a file descriptor value, for example:
/dev/fd/6
This leads to incorrect path resolution and causes failures in:
- Relative file lookups
- Logging
- Script chaining or sourcing logic
*Expected Behavior*
Before enabling sudo digest (or when digest is disabled), $0 correctly
resolves to:
/full/path/to/script.sh
or an equivalent script identifier.
*Environment Details*
- OS: RHEL 8.10
- Shells affected: bash, ksh
- sudo: Digest enabled in sudoers
- Execution context: Scripts executed via sudo
*Found Files- *
· /usr/lib/zookeeper/bin/zkCleanup.sh:ZOOBIN="${BASH_SOURCE-$0}"
· /usr/lib/zookeeper/bin/zkCli.sh:ZOOBIN="${BASH_SOURCE-$0}"
·
/usr/lib/zookeeper/bin/zkServer-initialize.sh:ZOOBIN="${BASH_SOURCE-$0}"
· /usr/lib/zookeeper/bin/zkServer-initialize.sh: printf "usage: $0
<parameters>
· /usr/lib/zookeeper/bin/zkServer.sh:ZOOBIN="${BASH_SOURCE-$0}"
· /usr/lib/zookeeper/bin/zkServer.sh: "$0" stop ${@}
· /usr/lib/zookeeper/bin/zkServer.sh: "$0" start ${@}
· /usr/lib/zookeeper/bin/zkServer.sh: echo "Usage: $0 [--config
<conf-dir>] {start|start-foreground|stop|version|restart|status|print-cmd}"
>&2
·
/usr/lib/zookeeper/bin/zkSnapShotToolkit.sh:ZOOBIN="${BASH_SOURCE-$0}"
·
/usr/lib/zookeeper/bin/zkSnapshotComparer.sh:ZOOBIN="${BASH_SOURCE-$0}"
·
/usr/lib/zookeeper/bin/zkSnapshotRecursiveSummaryToolkit.sh:ZOOBIN="${BASH_SOURCE-$0}"
· /usr/lib/zookeeper/bin/zkTxnLogToolkit.sh:ZOOBIN="${BASH_SOURCE-$0}"
· /etc/zookeeper/zookeeper: echo $"Usage: $0
start|stop|restart|reload|condrestart|status}"
*Request*
We understand that this behavior is related to how sudo executes scripts
when digest validation is enabled (execution via file descriptors).
However, since multiple third-party scripts depend on $0, modifying all
scripts is not feasible on our side.
We would appreciate your guidance on:
- Whether your scripts officially support execution with *sudo digest
enabled*
- Any recommended configuration, wrapper, or compatibility approach
- Planned fixes or best practices to avoid dependency on $0 in such
scenarios
This information will help us align our security posture while maintaining
compatibility with your tooling.
Thank you for your support.
We look forward to your guidance.
Best regards,
*Satyendra Paterya*
--
Thanks&Regards
Satyendra Paterya
