Bug 335 – runas_default doesn't work in the context of Command Defaults

Bug 335 - runas_default doesn't work in the context of Command Defaults


Summary:	runas_default doesn't work in the context of Command Defaults

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.7.0
Hardware:	PC Other

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2009-02-19 19:47 MST by Carl P. Corliss
Modified:	2009-02-20 15:55 MST (History)
CC List:	0 users

See Also:

Attachments
add callback to set runas user (3.88 KB, patch) 2009-02-20 08:39 MST, Todd C. Miller	Details \| Diff
update runas user after parsing command defaults (342 bytes, patch) 2009-02-20 15:53 MST, Todd C. Miller	Details \| Diff
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carl P. Corliss 2009-02-19 19:47:13 MST

What I'm trying to do is make it so that user's don't have to specify the '-u <user>' when attempting to run certain commands that would otherwise require specifying that user. I know that 1.7 is supposed to have Command specific Defaults (e.g., Defaults!<command> <option>), however I haven't been able to make runas_default work with command specific defaults and am hoping I'm just doing it wrong. (Note: this works (obviously?) if I do a user specific default)


----------------- Example Sudoers Snippet --------]

Defaults:rabbitt !authenticate # just for testing purposes
Defaults!/usr/bin/whoami    runas_default=apache
rabbitt  ALL = (apache) NOPASSWD: /usr/bin/whoami

----------------- Expected Test Results ----------]

-[rabbitt@optimus]- -[/tmp]-
$ sudo whoami
apache

----------------- Actual Test Results ------------]

-[rabbitt@optimus]- -[/tmp]-
$ sudo whoami
Sorry, user rabbitt is not allowed to execute '/usr/bin/whoami' as root on optimus.

--------------------------------------------------]

TIA!,

--
Carl P. Corliss

Comment 1 Todd C. Miller 2009-02-20 08:38:20 MST

Normally, the runas user is already set by the time sudo does its search for the command to run.  There's a slight chicken and egg problem here since sudo searches for the command in the PATH running with the uid of user it is going to run things as.  If runas_default is set based on the command (and thus after the path search is complete), there are some cases where permission can get in the way.

Adding a callback to set the runas password should do the trick for your use case though.  I'll attach a simple patch that works for me here/

Comment 2 Todd C. Miller 2009-02-20 08:39:48 MST

Created attachment 241 [details]
add callback to set runas user

Comment 3 Carl P. Corliss 2009-02-20 11:49:19 MST

awesome - that patch works perfectly for me. One note about it tho - it seems the visudo.c diff ended up containing the diffs for sudo.(c|h) and defaults.c as well (so they are duplicated) - it caused patch to think that you want to reverse the patches.

Will this make it into the next point release (it's certainly something we'd like to use at my employer (nytimes))?

Thanks a bunch for the speedy response!,

--
Carl

Comment 4 Todd C. Miller 2009-02-20 15:53:47 MST

Created attachment 243 [details]
update runas user after parsing command defaults

Comment 5 Todd C. Miller 2009-02-20 15:55:48 MST

New, simpler fix that plays nicely with the -u flag.  This will go into sudo 1.7.1