Bug 636

Summary: sudo -l cannot detect negation in command alias
Product: Sudo Reporter: Mond Wan <mondwan.1015>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.8.3   
Hardware: PC   
OS: Linux   
Attachments: test case
Fix for negated commands in sudo -l

Description Mond Wan 2014-03-13 01:30:06 MDT 
Created attachment 397 [details]
test case

Hello all, I would like to ask whether this is a bug or do it in purpose.

What I want to do is I would like to do a privilege checking before running command with sudo.

However, sudo -l seems cannot spot the negations inside command alias.
Below are the test cases I have tried on 1.8.3p1. Actually, I have same issue on 1.7.10p6.

Sudoers I/O plugin version 1.8.3p1

Case 1: 2 negations in command alias
/etc/sudoer
Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]*, !/usr/bin/passwd root, !/usr/bin/passwd
solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT
====================================================
root@SERVER:~# sudo -l -U solider /usr/bin/passwd 
/usr/bin/passwd
root@SERVER:~# sudo -l -U solider /usr/bin/passwd root
/usr/bin/passwd root
root@SERVER:~# su solider
solider@SERVER:/root$ sudo passwd 
Sorry, user solider is not allowed to execute '/usr/bin/passwd' as root on SERVER.


Case 2: 1 negation in command alias
/etc/sudoer
Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]*, !/usr/bin/passwd root
solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT
===================================================
root@SERVER:~# sudo -l -U solider /usr/bin/passwd 
root@SERVER:~# sudo -l -U solider /usr/bin/passwd root
/usr/bin/passwd root
root@SERVER:~# su solider
solider@SERVER:/root$ sudo passwd 
[sudo] password for solider: 

solider@SERVER:/root$ sudo passwd root
Sorry, user solider is not allowed to execute '/usr/bin/passwd root' as root on SERVER.

Case 3: No negation in command alias
/etc/sudoer
Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]*
solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT
===================================================
root@SERVER:~# sudo -l -U solider /usr/bin/passwd 
root@SERVER:~# sudo -l -U solider /usr/bin/passwd root
/usr/bin/passwd root
root@SERVER:~# su solider
solider@SERVER:/root$ sudo passwd 
[sudo] password for solider: 

solider@SERVER:/root$ sudo passwd root
Enter new UNIX password: 

Case 4: Directly add on command alias
Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]*
solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT, !/usr/bin/passwd root
===================================================
root@SERVER:~# sudo -l -U solider /usr/bin/passwd root
root@SERVER:~# sudo -l -U solider /usr/bin/passwd
root@SERVER:~# su solider
solider@SERVER:/root$ sudo passwd root
Sorry, user solider is not allowed to execute '/usr/bin/passwd root' as root on SERVER.
solider@SERVER:/root$ sudo passwd 
[sudo] password for solider: 

Case 5: Negation on command alias
Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]*
Cmnd_Alias TEST_NEGATION = /usr/bin/passwd root
solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT, !TEST_NEGATION
==========================================================
root@SERVER:~# sudo -l -U solider /usr/bin/passwd root
root@SERVER:~# sudo -l -U solider /usr/bin/passwd
root@SERVER:~#

Case 6: Double negations
Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]*
Cmnd_Alias TEST_NEGATION = !/usr/bin/passwd root
solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT, !TEST_NEGATION
============================================================
root@SERVER:~# sudo -l -U solider /usr/bin/passwd root
root@SERVER:~# sudo -l -U solider /usr/bin/passwd
root@SERVER:~#

Case 7: Single negation on command
Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]*
Cmnd_Alias TEST_NEGATION = !/usr/bin/passwd root
solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT, TEST_NEGATION
============================================================
root@SERVER:~# sudo -l -U solider /usr/bin/passwd root
/usr/bin/passwd root
root@SERVER:~# sudo -l -U solider /usr/bin/passwd
root@SERVER:~#

Case 8:
Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]*
Cmnd_Alias TEST_NEGATION = /usr/bin/passwd root
Cmnd_Alias WRAP_PASSWD = TEST_NEGATION
solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT, WRAP_PASSWD
============================================================
root@SERVER:~# sudo -l -U solider /usr/bin/passwd root
/usr/bin/passwd root
root@SERVER:~# sudo -l -U solider /usr/bin/passwd
root@SERVER:~#

Case 9:
Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]*
Cmnd_Alias TEST_NEGATION = /usr/bin/passwd root
Cmnd_Alias WRAP_PASSWD = TEST_NEGATION
solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT, !WRAP_PASSWD
============================================================
root@SERVER:~# sudo -l -U solider /usr/bin/passwd root
root@SERVER:~# sudo -l -U solider /usr/bin/passwd
root@SERVER:~#
Comment 1 Todd C. Miller 2014-03-13 08:19:57 MDT 
Created attachment 398 [details]
Fix for negated commands in sudo -l

Please try the following patch against sudo 1.8.3p2 if possible.
Comment 2 Todd C. Miller 2014-03-13 18:34:21 MDT 
Fixed in sudo 1.8.10p1, available now.