https://bugzilla.novell.com/show_bug.cgi?id=673669 https://bugzilla.novell.com/show_bug.cgi?id=673669#c wei wang changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wewang@novell.com AssignedTo|bnc-team-screening@forge.pr |puzel@novell.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=673669 https://bugzilla.novell.com/show_bug.cgi?id=673669#c2 Petr Uzel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |WONTFIX --- Comment #2 from Petr Uzel 2011-02-22 11:08:49 UTC --- (In reply to comment #0)

...

sudo hwinfo --help root's password: sudo: hwinfo: command not found

That's because /usr/sbin/ is not in the PATH. You have (at least) two options how to make it work without specifying full path: 1.) Add following line to /etc/sudoers (using visudo as root). Defaults secure_path="/bin:/sbin:/usr/bin:/usr/sbin" This will make all commands run with 'sudo' to have this set as $PATH. Of course you can add also other directories if you need to. 2.) Add /sbin/ and /usr/sbin/ to default $PATH for all users, not just root (I use this personally). Just insert the following line to /etc/profile.local: PATH="$PATH:/sbin/:/usr/sbin/"

Only when the absolute path is given, sudo will do as told. Consecutive trys then work as expected, as long as the same gnome-terminal is used.

Opening a new terminal reproduces the ill behaviour.

There's nothing ill - this is the default sudo's behavior. You can disable the per-tty authentication by setting "Defaults !tty_tickets" in /etc/sudoers (man 5 sudoers). Please note that this setting will allow any process to hijack your sudo session. HTH -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=673669 https://bugzilla.novell.com/show_bug.cgi?id=673669#c4 Petr Uzel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO InfoProvider| |security-team@suse.de --- Comment #4 from Petr Uzel 2011-02-22 15:44:34 UTC --- (In reply to comment #3)

Who on earth would suspect "> sudo bla" to behave differently from "# bla" ?

Me, for example, but perhaps I'm just weird :) Anyway, you made me look further into this. In sudo, we have sudo-1.7.1-secure_path.diff, which should set sane PATH for programs run with sudo, except that it does not seem to work. Moreover, it seems also useless since there is a possibility to set this using secure_path in /etc/sudoers. Therefore, I would propose the following: - drop *-secure_path.diff - add `Defaults secure_path="/usr/sbin:/sbin:/usr/bin:/bin"` to default /etc/sudoers. That way, we have tunable secure_path with sane default and no additional suse-specific patch. Dear security team: is this change OK from your POV? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=673669 https://bugzilla.novell.com/show_bug.cgi?id=673669#c6 --- Comment #6 from Petr Uzel 2011-02-23 09:14:11 UTC --- (In reply to comment #5)

that will break the use case where a program can only be found in the calling user's $PATH, e.g. ~/bin, wouldn't it?

Yes, it would, in the default settings.

A smarter solution would be something like su does (also via suse patch), it simply adds /sbin to $PATH if it's missing.

Do you really think that sudo has to be that smart, given secure_path is easily configurable, even on per-user basis? BTW that's what Fedora uses too AFAICS. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=673669 https://bugzilla.novell.com/show_bug.cgi?id=673669#c8 Petr Uzel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |UPSTREAM --- Comment #8 from Petr Uzel 2011-04-13 14:22:24 UTC --- I proposed a new option for this: http://www.sudo.ws/pipermail/sudo-workers/2011-April/000667.html Closing this as RESOLVED/UPSTREAM. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.