Bug 500

Summary: sudo 1.7.4_p5 allows combining several permitted parameters into one
Product: Sudo Reporter: Maxim Kammerer <mk>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: ASSIGNED ---    
Severity: normal    
Priority: low    
Version: 1.7.4   
Hardware: PC   
OS: Linux   

Description Maxim Kammerer 2011-06-30 17:53:55 MDT 
/etc/sudoers:
anon	liberte = NOPASSWD: /sbin/shutdown -[hr] now

sudo shutdown -h now -> allowed
sudo shutdown "-h now" -> allowed (probably shouldn't be)
sudo shutdown "-h  now" (two spaces) -> not allowed
Comment 1 Todd C. Miller 2011-08-24 11:20:08 MDT 
Sudo's matching of spaces embedded in command arguments is currently suboptimal.  Part of the problem is that quoting like this is shell syntactic sugar, it isn't present when sudo examines the arguments.

The way command argument matching is currently done is by concatenating all the arguments into a single string, and so the grouping is lost.  One way to handle this would be to escape embedded spaces with a backslash, so the sudoers rules would also need to include backslashes.  Another option is to match the argument vector instead of a flat string, which allows for exact matching but is more cumbersome and may make wildcards less useful.