|
Bugzilla – Full Text Bug Listing |
| Summary: | sudo -l cannot detect negation in command alias | ||
|---|---|---|---|
| Product: | Sudo | Reporter: | Mond Wan <mondwan.1015> |
| Component: | Sudo | Assignee: | Todd C. Miller <Todd.Miller> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | ||
| Priority: | low | ||
| Version: | 1.8.3 | ||
| Hardware: | PC | ||
| OS: | Linux | ||
| Attachments: |
test case
Fix for negated commands in sudo -l |
||
Created attachment 398 [details]
Fix for negated commands in sudo -l
Please try the following patch against sudo 1.8.3p2 if possible.
Fixed in sudo 1.8.10p1, available now. |
Created attachment 397 [details] test case Hello all, I would like to ask whether this is a bug or do it in purpose. What I want to do is I would like to do a privilege checking before running command with sudo. However, sudo -l seems cannot spot the negations inside command alias. Below are the test cases I have tried on 1.8.3p1. Actually, I have same issue on 1.7.10p6. Sudoers I/O plugin version 1.8.3p1 Case 1: 2 negations in command alias /etc/sudoer Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]*, !/usr/bin/passwd root, !/usr/bin/passwd solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT ==================================================== root@SERVER:~# sudo -l -U solider /usr/bin/passwd /usr/bin/passwd root@SERVER:~# sudo -l -U solider /usr/bin/passwd root /usr/bin/passwd root root@SERVER:~# su solider solider@SERVER:/root$ sudo passwd Sorry, user solider is not allowed to execute '/usr/bin/passwd' as root on SERVER. Case 2: 1 negation in command alias /etc/sudoer Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]*, !/usr/bin/passwd root solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT =================================================== root@SERVER:~# sudo -l -U solider /usr/bin/passwd root@SERVER:~# sudo -l -U solider /usr/bin/passwd root /usr/bin/passwd root root@SERVER:~# su solider solider@SERVER:/root$ sudo passwd [sudo] password for solider: solider@SERVER:/root$ sudo passwd root Sorry, user solider is not allowed to execute '/usr/bin/passwd root' as root on SERVER. Case 3: No negation in command alias /etc/sudoer Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]* solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT =================================================== root@SERVER:~# sudo -l -U solider /usr/bin/passwd root@SERVER:~# sudo -l -U solider /usr/bin/passwd root /usr/bin/passwd root root@SERVER:~# su solider solider@SERVER:/root$ sudo passwd [sudo] password for solider: solider@SERVER:/root$ sudo passwd root Enter new UNIX password: Case 4: Directly add on command alias Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]* solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT, !/usr/bin/passwd root =================================================== root@SERVER:~# sudo -l -U solider /usr/bin/passwd root root@SERVER:~# sudo -l -U solider /usr/bin/passwd root@SERVER:~# su solider solider@SERVER:/root$ sudo passwd root Sorry, user solider is not allowed to execute '/usr/bin/passwd root' as root on SERVER. solider@SERVER:/root$ sudo passwd [sudo] password for solider: Case 5: Negation on command alias Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]* Cmnd_Alias TEST_NEGATION = /usr/bin/passwd root solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT, !TEST_NEGATION ========================================================== root@SERVER:~# sudo -l -U solider /usr/bin/passwd root root@SERVER:~# sudo -l -U solider /usr/bin/passwd root@SERVER:~# Case 6: Double negations Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]* Cmnd_Alias TEST_NEGATION = !/usr/bin/passwd root solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT, !TEST_NEGATION ============================================================ root@SERVER:~# sudo -l -U solider /usr/bin/passwd root root@SERVER:~# sudo -l -U solider /usr/bin/passwd root@SERVER:~# Case 7: Single negation on command Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]* Cmnd_Alias TEST_NEGATION = !/usr/bin/passwd root solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT, TEST_NEGATION ============================================================ root@SERVER:~# sudo -l -U solider /usr/bin/passwd root /usr/bin/passwd root root@SERVER:~# sudo -l -U solider /usr/bin/passwd root@SERVER:~# Case 8: Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]* Cmnd_Alias TEST_NEGATION = /usr/bin/passwd root Cmnd_Alias WRAP_PASSWD = TEST_NEGATION solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT, WRAP_PASSWD ============================================================ root@SERVER:~# sudo -l -U solider /usr/bin/passwd root /usr/bin/passwd root root@SERVER:~# sudo -l -U solider /usr/bin/passwd root@SERVER:~# Case 9: Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]* Cmnd_Alias TEST_NEGATION = /usr/bin/passwd root Cmnd_Alias WRAP_PASSWD = TEST_NEGATION solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT, !WRAP_PASSWD ============================================================ root@SERVER:~# sudo -l -U solider /usr/bin/passwd root root@SERVER:~# sudo -l -U solider /usr/bin/passwd root@SERVER:~#