Bugzilla – Bug 578
sudoers wildcard character(*) is unusably dangerous in command line arguments
Last modified: 2022-03-04 09:18:34 MST
(Apologies for the alarmist summary line, but on reflection I think it is actually a fairly accurate statement...) Because the the fnmatch library call will always match spaces against the wildcard character(*), it is very difficult to envisage a situation where using it in a command line argument specification does not enable the command to be supplied arbitrary files as arguments. For example : myuser myhost=(root) NOPASSWD: /bin/cat /proc/* ...also permits this command : sudo cat /proc/uptime /etc/shadow A Red Hat internal kbase (https://access.redhat.com/knowledge/solutions/204823) suggests a solution, but that is itself wrong : Its resolution shows this: sullyvon ALL=NOPASSWD: /bin/cat /var/log/messages-*[[\:digit\:]] But this still allows you to do: sudo cat /var/log/messages- /etc/shadow 1 Todd Miller, in a discussion with Daniel Kopecak of Red Hat describes a possible new syntax, either using full regular expressions, or something along the lines of rsync's * and **, that would only match individual argument prefixes and not match across multiple space-separated arguments. Red Hat have already created RFE 871881 to cover this problem but I believe it should also be logged against the upstream version.
I have just received the following response to the Quest case I raised for the same issue (1088167) : '...I have passed your information Todd with the below reply "The only real fix for this is to add regular expression support to the sudoers file. The proposed replacement sudoers file format (which is RBAC-based) already specifies this and does not have wildcard support at all. I'm planning to add POSIX regular expression support for sudo 1.8.7." ' This is great news, thanks in advance Todd, but I have a couple more questions : 1. What do you mean by an RBAC-based sudoers file format? 2. Are Red Hat already aware of your intention to add this to 1.8.7? I believe there was a recent comment from their guy along the lines that he would implement it if you weren't planning to soon (just making sure you're not both doing it at the same time) Thanks again
Sudo 2.0 will include an RBAC-based policy format. The design document is located at http://www.sudo.ws/sudo/sudo-rbac.html. I was not aware that Red Hat was planning to add regexp support so they are probably not aware of my plans either.
Hello, Can this patch be included in the meantime please? https://www.sudo.ws/pipermail/sudo-workers/2019-March/001232.html I believe it would solve wildcard issues and reduces complexity. Ed
Hi, a similar patch has been rejected years ago : https://www.sudo.ws/pipermail/sudo-workers/2016-March/date.html Regards
I don't know if that's a rejection: "I'm going to have to think about this a bit." If the fuller solution isn't considered, maybe a smaller minimal solution could be. I'm hoping something can be done, and I'm willing to put energy into it to help. Linking to the github issue (which links here): https://github.com/sudo-project/sudo/issues/15
*** Bug 919 has been marked as a duplicate of this bug. ***
Sudo 1.9.10 will include regular expression support.
Sudo 1.9.10 includes regular expression support.