Bug 1319936 - sudo is broken after installing devtoolset
Summary: sudo is broken after installing devtoolset
Status: NEW
Alias: None
Product: Red Hat Developer Toolset
Classification: Red Hat
Component: devtoolset-meta
Version: DTS 3.1 RHEL 6
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: alpha
: 5.0
Assignee: Marek Polacek
QA Contact: Martin Cermak
URL:
Whiteboard:
Keywords:
: 1635961 1671475 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-21 21:14 UTC by Martin Langhoff
Modified: 2019-04-10 07:43 UTC (History)
12 users (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Martin Langhoff 2016-03-21 21:14:37 UTC
Description of problem:

the sudo "wrapper" written for #849452 is very limited, is not failsafe, and most importantly is called "sudo" and is first in search path, so takes over sudo invocations.

This is a bad idea in so many ways. 

Version-Release number of selected component (if applicable):

devtoolset-3-runtime-3.1-12.el6.x86_64


How reproducible:

100%

Steps to Reproduce:
1. install devtoolset3
2. try to run "sudo -s" or "sudo -i"

Actual results:

$ sudo -s
/var/tmp/scl76ZTHd: line 8: -s: command not found


Expected results:

A root shell session

Comment 1 Martin Langhoff 2016-03-21 21:16:10 UTC
Others have hit this 

http://unix.stackexchange.com/questions/192809/sudo-i-returns-an-error

$ rpm -qf /opt/rh/devtoolset-3/root/usr/bin/sudo
devtoolset-3-runtime-3.1-12.el6.x86_64
$ which sudo
/opt/rh/devtoolset-3/root/usr/bin/sudo

Comment 2 Ľuboš Kardoš 2016-04-06 14:03:00 UTC
The sudo wrapper is from devtoolset package not from scl-utils package, I will reassigning the bug, I hope devtoolset-meta is right component but feel free to reassign.

Comment 3 Marek Polacek 2016-04-08 12:06:40 UTC
Certainly not solvable for DTS4.1.

Comment 4 Marek Polacek 2016-04-08 12:07:50 UTC
Note this is basically a dup of https://bugzilla.redhat.com/show_bug.cgi?id=1054894

Comment 5 Martin Langhoff 2016-04-08 12:51:56 UTC
Well that's not readable even for this long-time fedora contributor, but I can imagine reasons you'd have a related embargoed bz.

MITM'ing sudo is a rather bad idea. I understand the desire to have sudo load SCL envvars -- I wrestle with that myself, often needing to write wrapper scripts -- it is not important enough to mess with sudo itself; perhaps that could be achieved with a dedicated command.

Comment 6 Marek Polacek 2016-04-08 14:25:05 UTC
(In reply to Martin Langhoff from comment #5)
> Well that's not readable even for this long-time fedora contributor, but I
> can imagine reasons you'd have a related embargoed bz.
> 
> MITM'ing sudo is a rather bad idea. I understand the desire to have sudo
> load SCL envvars -- I wrestle with that myself, often needing to write
> wrapper scripts -- it is not important enough to mess with sudo itself;
> perhaps that could be achieved with a dedicated command.

You're right about the SCL envvars.  One possibility would be to teach the sudo wrapper how to parse the sudo arguments I think -- but that seems very fragile and I'm not sure how well would that work in practice.  I'm very sorry that all I can offer at this point is to recommend to use /bin/sudo if you need to use sudo options :/.

Comment 7 Florian Weimer 2016-04-12 12:03:09 UTC
sudo_plugin(8) in the sudo-devel package might be a consideration.  It looks like the API (specifically check_policy) is sufficient for implementing preservation of SCL context in a sudo plugin.

Comment 8 Gary Gatling 2018-04-23 17:22:50 UTC
I am seeing this in devtoolset-7's sudo/ sudo -i doesn't work.

Comment 9 Marek Polacek 2018-04-23 17:26:45 UTC
Please use /bin/sudo meanwhile.

Comment 10 Michael Alberghini 2018-07-31 15:38:18 UTC
I am seeing this while using devtoolset-6 on RH 7.5.  It breaks ansible.

Comment 11 Marek Polacek 2018-10-09 15:52:14 UTC
*** Bug 1635961 has been marked as a duplicate of this bug. ***

Comment 12 Marek Polacek 2019-01-31 17:35:24 UTC
*** Bug 1671475 has been marked as a duplicate of this bug. ***

Comment 13 Andy Fong 2019-02-20 16:38:52 UTC
Look like there is no traction to fix this bug. There is a TODO in the wrapper to parse the options correctly. I have no bash expert but here is what I come up with and worked for me:

#! /bin/sh
cmd_started=false
is_option_param_next=false
for arg in "$@"
do
   case "$arg" in
    *\'*)
      arg= ;;
   esac
   if [ "$cmd_started" = true ]; then
       cmd_options="$cmd_options '$arg'"
   elif [ "$is_option_param_next" = true ]; then
       sudo_options="$sudo_options $arg"
       is_option_param_next=false
   elif [[ $arg == -* ]]; then
       sudo_options="$sudo_options $arg"
       case "$arg" in
        "-g" | "-h" | "-p" | "-u" | "-U" | "-C" | "-i" | "-s")
          is_option_param_next=true
        ;;
       esac
   elif [[ $arg == *=* ]]; then
       sudo_options="$sudo_options $arg"
   else
       cmd_options="$cmd_options '$arg'"
       cmd_started=true
   fi
done
if [ "$sudo_options" == "" ]; then
    sudo_options="-E"
fi
exec /usr/bin/sudo $sudo_options LD_LIBRARY_PATH=$LD_LIBRARY_PATH PATH=$PATH scl enable devtoolset-7 "$cmd_options"

Comment 14 Marek Polacek 2019-04-08 16:20:06 UTC
The workaround has been to use /bin/sudo directly.  The only viable solution, IMHO, would be to take a look at sudo_plugin(8) and see if that helps.  But that would be for DTS 9, it's too risky to try to fix it for DTS 8.1.

Comment 15 Roman Bobek 2019-04-10 07:43:00 UTC
(In reply to Marek Polacek from comment #14)
> The workaround has been to use /bin/sudo directly.  The only viable
> solution, IMHO, would be to take a look at sudo_plugin(8) and see if that
> helps.  But that would be for DTS 9, it's too risky to try to fix it for DTS
> 8.1.

Hello Marek,

thank you for the update in this BZ. Can we proceed with evaluating the sudo_pluign and the fix? DTS 9 is okay.

-Roman


Note You need to log in before you can comment on or make changes to this bug.