Bug 191 – problem with wildcard expansion in command run under Runas_Alias

Bug 191 - problem with wildcard expansion in command run under Runas_Alias


Summary:	problem with wildcard expansion in command run under Runas_Alias

Status:	RESOLVED INVALID

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.6.7
Hardware:	PC Linux

Importance:	normal high
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2005-07-28 10:10 MDT by Debbie Schuman
Modified:	2005-08-03 14:21 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Debbie Schuman 2005-07-28 10:10:27 MDT

I may be missing something, but there seems to be a problem when using a 
Runas_Alias to execute a command with wildcards in an argument.  The example I 
ran across is with the ls and grep commands.  Here's the scenario...

1. Runas_Alias = MYALIAS = appid
   Cmnd_Alias = LS_CMD = /bin/ls *
   User_Alias = MYUSER

   MYUSER ALL= (MYALIAS) LS_CMD

2. The directory that I am trying to run against has permissions 750 and is 
owned by appid:appgrp

    /var/appdir/logs 

3. sudo -u appid /bin/ls -l /var/appdir/logs/*.log

gets error:  ls: /var/appdir/logs/*.log:  No such file or directory 

4.  sudo -u appid /bin/ls -l /var/appdir/logs  
works ok - get directory listing of all files in directory as expected.

5. sudo -u appid /bin/ls -l /var/appdir/logs/log1.log
works ok - can specify a file name that exists and get a listing as expected.

Only seems to have trouble when it has to expand a wildcard in a directory that 
doesn't have read access for the login user.  

I can get around the problem by putting the ls/grep commands in a script owned 
by the appid:appgrp, then put in a rule to run the script.  That works ok.  It 
just seems like if the Runas_Alias target user has permission on the directory, 
the the wildcard functionality should be valid.


Any advice would be greatly appreciated...

Comment 1 Debbie Schuman 2005-08-03 09:46:23 MDT

Just wondering if anyone has run into this problem before (or whether its 
something that I'm doing wrong in setting up the SUDO rule.

Thanks -
Debbie Schuman

Comment 2 Todd C. Miller 2005-08-03 09:54:32 MDT

The problem is that your shell is trying to expand /var/appdir/logs/*.log before 
sudo is executabled, which it cannot do because of the directory permissions.  
The wildcard matching in sudo matches entries in the sudoers file against what 
was specified on the command line, not files in the filesystem, so quoting the 
wildcarded path won't help either.

There really isn't a good way to do what you want without the added grep step.

Comment 3 Debbie Schuman 2005-08-03 10:21:22 MDT

Thanks Todd.  I gave the users a couple of work arounds, but needed something 
definite to tell them why the wildcard expansion didn't work as they thought it 
should.