Bugzilla – Bug 541
sudoedit behaviour when sudoers argument terminates with '*' differs between 1.7.x and 1.8.x
Last modified: 2022-03-04 09:20:02 MST
FNM_PATHNAME flag set in match.c changes the behaviour of '*' wildcard when '*' is last character in arguments to sudoedit keyword. sudoers entry: userA ALL= sudoedit /usr/tivoli/tsm/* Works in 1.7.4p6: sudoedit /usr/tivoli/tsm/client/ba/bin/dsm.opt In 1.8.4p2, it is rejected. Works in both 1.7.4p6 and 1.8.4p2: sudoedit /usr/tivoli/tsm/anyfile relevant code from plugins/sudoers/match.c (lines 378-384): if (sudoers_args) { /* For sudoedit, all args are assumed to be pathnames. */ if (strcmp(sudoers_cmnd, "sudoedit") == 0) flags = FNM_PATHNAME; if (fnmatch(sudoers_args, user_args ? user_args : "", flags) == 0) debug_return_bool(true); } if line 381 is changed to flags = 0; 1.8.4p2 behaviour appears to be the same as 1.7.4p6.
I guess this should be closed as NOTABUG as it appears to be intended behavior now. The man page indicates: sudoedit Command line arguments to the sudoedit built-in command should always be path names, so a forward slash (‘/’) will not be matched by a wildcard. However it does make it very difficult to allow users to edit files in a large or changing directory tree.
Sudo 1.9.10 supports regular expressions in sudoedit args which can be used to give access to subdirectories.