From: Todd C. Miller <Todd.Miller@sudo.ws>
Date: Mon, 15 Jul 2019 00:51:50 +0000 (-0600)
Subject: If we are unable to stat() sudoers as non-root, try again as root.
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=cecf69ff3c28be49947cf50d50f708b24abfb0d2;p=sudo

If we are unable to stat() sudoers as non-root, try again as root.
By default, sudo relies soley on group permissions to read sudoers
to make it possible to store sudoers on NFS.  However, if /etc/sudoers
is not accessible to non-root uids for some reason, sudo will fail.
Bug #880.
---

diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 519c38eda..b22e28409 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -879,11 +879,20 @@ open_sudoers(const char *sudoers, bool doedit, bool *keepopen)
 {
     struct stat sb;
     FILE *fp = NULL;
+    bool asroot = true;
     debug_decl(open_sudoers, SUDOERS_DEBUG_PLUGIN)
 
     if (!set_perms(PERM_SUDOERS))
 	debug_return_ptr(NULL);
 
+    /*
+     * If sudoers_uid == ROOT_UID and sudoers_mode is group readable
+     * set_perms() will use a non-zero uid in order to avoid NFS issues..
+     */
+    if (sudoers_uid != ROOT_UID || ISSET(sudoers_mode, S_IRGRP))
+	asroot = false;
+
+again:
     switch (sudo_secure_file(sudoers, sudoers_uid, sudoers_gid, &sb)) {
 	case SUDO_PATH_SECURE:
 	    /*
@@ -917,6 +926,20 @@ open_sudoers(const char *sudoers, bool doedit, bool *keepopen)
 	    }
 	    break;
 	case SUDO_PATH_MISSING:
+	    /*
+	     * If we tried to stat() sudoers as non-root but got EACCES,
+	     * try again as root.
+	     */
+	    if (errno == EACCES && !asroot) {
+		int serrno = errno;
+		if (restore_perms()) {
+		    if (!set_perms(PERM_ROOT))
+			debug_return_ptr(NULL);
+		    asroot = true;
+		    goto again;
+		}
+		errno = serrno;
+	    }
 	    log_warning(SLOG_SEND_MAIL, N_("unable to stat %s"), sudoers);
 	    break;
 	case SUDO_PATH_BAD_TYPE: