Bug 578

Summary: sudoers wildcard character(*) is unusably dangerous in command line arguments
Product: Sudo Reporter: Dave Hicks <david.hicks>
Component: SudoersAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal CC: bdale, cyrille.lefevre-lists, david.hicks, ed-sudo
Priority: normal    
Version: 1.8.6   
Hardware: All   
OS: All   

Description Dave Hicks 2012-11-05 12:12:32 MST 
(Apologies for the alarmist summary line, but on reflection I think it is actually a fairly accurate statement...)

Because the the fnmatch library call will always match spaces against the wildcard character(*), it is very difficult to envisage a situation where using it in a command line argument specification does not enable the command to be supplied arbitrary files as arguments. For example :

	myuser  myhost=(root) NOPASSWD: /bin/cat /proc/*

...also permits this command :

	sudo cat /proc/uptime /etc/shadow

A Red Hat internal kbase (https://access.redhat.com/knowledge/solutions/204823) suggests a solution, but that is itself wrong :

    Its resolution shows this:
	sullyvon ALL=NOPASSWD: /bin/cat /var/log/messages-*[[\:digit\:]]

    But this still allows you to do:
	sudo cat /var/log/messages- /etc/shadow 1

Todd Miller, in a discussion with Daniel Kopecak of Red Hat describes a possible new syntax, either using full regular expressions, or something along the lines of rsync's * and **, that would only match individual argument prefixes and not match across multiple space-separated arguments.

Red Hat have already created RFE 871881 to cover this problem but I believe it should also be logged against the upstream version.
Comment 1 Dave Hicks 2012-11-06 11:43:51 MST 
I have just received the following response to the Quest case I raised for the same issue (1088167) :

'...I have passed your information Todd with the below reply "The only real fix for this is to add regular expression support to the sudoers file.  The proposed replacement sudoers file format (which is
RBAC-based) already specifies this and does not have wildcard support at all.  I'm planning to add POSIX regular expression support for sudo 1.8.7." '

This is great news, thanks in advance Todd, but I have a couple more questions :

1. What do you mean by an RBAC-based sudoers file format?
2. Are Red Hat already aware of your intention to add this to 1.8.7? I believe there was a recent comment from their guy along the lines that he would implement it if you weren't planning to soon (just making sure you're not both doing it at the same time)

Thanks again
Comment 2 Todd C. Miller 2012-11-26 16:05:14 MST 
Sudo 2.0 will include an RBAC-based policy format.  The design document is located at http://www.sudo.ws/sudo/sudo-rbac.html.

I was not aware that Red Hat was planning to add regexp support so they are probably not aware of my plans either.
Comment 3 ed neville 2019-11-14 06:06:39 MST 
Hello,

Can this patch be included in the meantime please?

  https://www.sudo.ws/pipermail/sudo-workers/2019-March/001232.html

I believe it would solve wildcard issues and reduces complexity.

Ed
Comment 4 Cyrille Lefevre 2019-12-07 18:03:20 MST 
Hi,

a similar patch has been rejected years ago :

https://www.sudo.ws/pipermail/sudo-workers/2016-March/date.html

Regards
Comment 5 ed neville 2019-12-09 12:06:16 MST 
I don't know if that's a rejection:

  "I'm going to have to think about this a bit."

If the fuller solution isn't considered, maybe a smaller minimal solution could be. I'm hoping something can be done, and I'm willing to put energy into it to help.

Linking to the github issue (which links here):

  https://github.com/sudo-project/sudo/issues/15
Comment 6 Todd C. Miller 2022-02-03 19:34:00 MST 
*** Bug 919 has been marked as a duplicate of this bug. ***
Comment 7 Todd C. Miller 2022-02-03 19:35:06 MST 
Sudo 1.9.10 will include regular expression support.
Comment 8 Todd C. Miller 2022-03-04 09:18:34 MST 
Sudo 1.9.10 includes regular expression support.