Bug 500 – sudo 1.7.4_p5 allows combining several permitted parameters into one

Bug 500 - sudo 1.7.4_p5 allows combining several permitted parameters into one


Summary:	sudo 1.7.4_p5 allows combining several permitted parameters into one

Status:	ASSIGNED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.7.4
Hardware:	PC Linux

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2011-06-30 17:53 MDT by Maxim Kammerer
Modified:	2011-08-24 11:20 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Maxim Kammerer 2011-06-30 17:53:55 MDT

/etc/sudoers:
anon	liberte = NOPASSWD: /sbin/shutdown -[hr] now

sudo shutdown -h now -> allowed
sudo shutdown "-h now" -> allowed (probably shouldn't be)
sudo shutdown "-h  now" (two spaces) -> not allowed

Comment 1 Todd C. Miller 2011-08-24 11:20:08 MDT

Sudo's matching of spaces embedded in command arguments is currently suboptimal.  Part of the problem is that quoting like this is shell syntactic sugar, it isn't present when sudo examines the arguments.

The way command argument matching is currently done is by concatenating all the arguments into a single string, and so the grouping is lost.  One way to handle this would be to escape embedded spaces with a backslash, so the sudoers rules would also need to include backslashes.  Another option is to match the argument vector instead of a flat string, which allows for exact matching but is more cumbersome and may make wildcards less useful.