First Last Prev Next    This bug is not in your last search results.
Bug 211 - strange order dependence in sudoers
strange order dependence in sudoers
Status: RESOLVED FIXED
Product: Sudo
Classification: Unclassified
Component: Sudo
1.6.8
All All
: normal normal
Assigned To: Todd C. Miller
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-14 02:40 MST by James M. Corey
Modified: 2007-11-02 15:39 MDT (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description James M. Corey 2006-03-14 02:40:00 MST 
If my sudoers file contains just two lines, like this:

  jack ALL=ALL
  jack ALL=(jill)ALL

Then jack can successfully run

  sudo -u jill whoami

However, if I reverse the order of those two lines in sudoers:

  jack ALL=(jill)ALL
  jack ALL=ALL

Then sudo will fail jack with the usual message:
"Sorry, user jack is not allowed to execute '/usr/bin/whoami' as jill on hill"

This is a contrived example, of course.  My objective is to make
it as short and simple as possible.

If this sudo behavior is intentional, I apologize for not comprehending.
This is with 1.6.8p12, no special --configure options.
Comment 1 Todd C. Miller 2007-07-05 16:28:22 MDT 
This is indeed a bug.  The problem is that the parser is not distinguishing between a lack of a match in the runas user and a negative match (ie: !user).
Comment 2 Todd C. Miller 2007-11-02 15:39:25 MDT 
This has been fixed in sudo 1.6.9p8.
First Last Prev Next    This bug is not in your last search results.