Fedora 36: Change in sudo behaviour when running non-existent executable

,

My /etc/sudoers file contains the following:

%wheel  ALL=(ALL:ALL)   NOPASSWD: ALL

My user is in the wheel group.

Previously in Fedora 35 if I ran “sudo /non_existent” it would report:

sudo: /non_existent: command not found

If I run the same under Fedora 36 I get:

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for bld-adm:

Why has it started prompting for a password for a non-existing file? It doesn’t prompt if I do “sudo non_existent”. It just says:

sudo: non_existent: command not found

Is that a bug? How can I get it not to prompt under any circumstance for this user?

2 Likes

That we trust ... prompt message is because that is the first time that user has used sudo, and it has always done so for first time users.
Does it give you the same message when you try it again?

Also the password prompt is given the first time you use sudo then is suppressed for a certain time while you continue to use sudo. After not using sudo for a (configureable) time delay it again prompts for the password.

Is this not the normal behavior you have seen with sudo?

I would hope the shell would always tell you that the command you just entered was incorrect. It always has for me.

Password prompting for this user has been disabled, so it should never prompt. So, no, this is not normal behaviour, and seems to have changed between Fedora versions.

How was password prompting disabled?

AFAIK the only way to avoid the prompt for the password with sudo is to make an entry in the /etc/sudoers file for that specific user to disable the password requirement.

If that is how it was done then it may be that the upgrade to F36 installed a new /etc/sudoers file and any customizations you may have done would then be overwritten.

As stated above, I set NOPASSWD: ALL. The only time it prompts me for a password is if I used a non-existent path. The sudoers file is not being overridden.

Mine has this:

%wheel	ALL=(ALL)	NOPASSWD: ALL

which is different than what you posted above.

%wheel  ALL=(ALL:ALL)   NOPASSWD: ALL

Could that cause the change?

I see the results you indicate that you used to see.

But I’ve not changed anything in my use of sudoers since changing to Fedora 36.

But sudo itself may have changed how it interprets that line in the sudoers file.

A quick check. Change the ( ALL:ALL ) to ( ALL ) and see if there is a difference. It is after all the host part of the line.

None of the references I found (including man sudoers) shows that part of the line with the : included.

This is a weird one. Doing some quick testing in some new VMs, it’s even more nuanced. It appears that this only affects a wrong command that begins with /.

Here is what it looks like in Fedora Linux 35:

And here in Fedora Linux 37:

Both VMs are new with default /etc/sudoers except changed:

  1. comment out %wheel ALL=(ALL) ALL
  2. uncomment %wheel ALL=(ALL) NOPASSWD: ALL

I see the difference there, but it should be sent as a bug since a change like that is unexpected.

1 Like

OK, if we believe this to be a bug, then I’ll raise one. Thanks.

1 Like

I think there are potentially 2 factors initially. The fact that you used ( ALL:ALL ) was one, but your test with the VMs and showing the difference between F35 and rawhide with the same command structure seems definitely a bug.

https://bugzilla.redhat.com/show_bug.cgi?id=2079523

1 Like

I think this is most likely an upstream issue, as I’ve been able to recreate it in Manjaro and OpenSUSE Tumbleweed as well. Might want to consider opening an issue there.

1 Like