First Last Prev Next    This bug is not in your last search results.
Bug 636 - sudo -l cannot detect negation in command alias
sudo -l cannot detect negation in command alias
Status: RESOLVED FIXED
Product: Sudo
Classification: Unclassified
Component: Sudo
1.8.3
PC Linux
: low normal
Assigned To: Todd C. Miller
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-13 01:30 MDT by Mond Wan
Modified: 2014-03-13 18:34 MDT (History)
0 users

See Also:

Attachments
test case (4.19 KB, text/plain)
2014-03-13 01:30 MDT, Mond Wan 		Details
Fix for negated commands in sudo -l (385 bytes, patch)
2014-03-13 08:19 MDT, Todd C. Miller 		Details | Diff
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mond Wan 2014-03-13 01:30:06 MDT 
Created attachment 397 [details]
test case

Hello all, I would like to ask whether this is a bug or do it in purpose.

What I want to do is I would like to do a privilege checking before running command with sudo.

However, sudo -l seems cannot spot the negations inside command alias.
Below are the test cases I have tried on 1.8.3p1. Actually, I have same issue on 1.7.10p6.

Sudoers I/O plugin version 1.8.3p1

Case 1: 2 negations in command alias
/etc/sudoer
Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]*, !/usr/bin/passwd root, !/usr/bin/passwd
solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT
====================================================
root@SERVER:~# sudo -l -U solider /usr/bin/passwd 
/usr/bin/passwd
root@SERVER:~# sudo -l -U solider /usr/bin/passwd root
/usr/bin/passwd root
root@SERVER:~# su solider
solider@SERVER:/root$ sudo passwd 
Sorry, user solider is not allowed to execute '/usr/bin/passwd' as root on SERVER.


Case 2: 1 negation in command alias
/etc/sudoer
Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]*, !/usr/bin/passwd root
solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT
===================================================
root@SERVER:~# sudo -l -U solider /usr/bin/passwd 
root@SERVER:~# sudo -l -U solider /usr/bin/passwd root
/usr/bin/passwd root
root@SERVER:~# su solider
solider@SERVER:/root$ sudo passwd 
[sudo] password for solider: 

solider@SERVER:/root$ sudo passwd root
Sorry, user solider is not allowed to execute '/usr/bin/passwd root' as root on SERVER.

Case 3: No negation in command alias
/etc/sudoer
Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]*
solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT
===================================================
root@SERVER:~# sudo -l -U solider /usr/bin/passwd 
root@SERVER:~# sudo -l -U solider /usr/bin/passwd root
/usr/bin/passwd root
root@SERVER:~# su solider
solider@SERVER:/root$ sudo passwd 
[sudo] password for solider: 

solider@SERVER:/root$ sudo passwd root
Enter new UNIX password: 

Case 4: Directly add on command alias
Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]*
solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT, !/usr/bin/passwd root
===================================================
root@SERVER:~# sudo -l -U solider /usr/bin/passwd root
root@SERVER:~# sudo -l -U solider /usr/bin/passwd
root@SERVER:~# su solider
solider@SERVER:/root$ sudo passwd root
Sorry, user solider is not allowed to execute '/usr/bin/passwd root' as root on SERVER.
solider@SERVER:/root$ sudo passwd 
[sudo] password for solider: 

Case 5: Negation on command alias
Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]*
Cmnd_Alias TEST_NEGATION = /usr/bin/passwd root
solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT, !TEST_NEGATION
==========================================================
root@SERVER:~# sudo -l -U solider /usr/bin/passwd root
root@SERVER:~# sudo -l -U solider /usr/bin/passwd
root@SERVER:~#

Case 6: Double negations
Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]*
Cmnd_Alias TEST_NEGATION = !/usr/bin/passwd root
solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT, !TEST_NEGATION
============================================================
root@SERVER:~# sudo -l -U solider /usr/bin/passwd root
root@SERVER:~# sudo -l -U solider /usr/bin/passwd
root@SERVER:~#

Case 7: Single negation on command
Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]*
Cmnd_Alias TEST_NEGATION = !/usr/bin/passwd root
solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT, TEST_NEGATION
============================================================
root@SERVER:~# sudo -l -U solider /usr/bin/passwd root
/usr/bin/passwd root
root@SERVER:~# sudo -l -U solider /usr/bin/passwd
root@SERVER:~#

Case 8:
Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]*
Cmnd_Alias TEST_NEGATION = /usr/bin/passwd root
Cmnd_Alias WRAP_PASSWD = TEST_NEGATION
solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT, WRAP_PASSWD
============================================================
root@SERVER:~# sudo -l -U solider /usr/bin/passwd root
/usr/bin/passwd root
root@SERVER:~# sudo -l -U solider /usr/bin/passwd
root@SERVER:~#

Case 9:
Cmnd_Alias PASSWD_MANAGEMENT = /usr/bin/passwd [a-zA-Z0-9]*
Cmnd_Alias TEST_NEGATION = /usr/bin/passwd root
Cmnd_Alias WRAP_PASSWD = TEST_NEGATION
solider ALL = (ALL) NOPASSWD: PASSWD_MANAGEMENT, !WRAP_PASSWD
============================================================
root@SERVER:~# sudo -l -U solider /usr/bin/passwd root
root@SERVER:~# sudo -l -U solider /usr/bin/passwd
root@SERVER:~#
Comment 1 Todd C. Miller 2014-03-13 08:19:57 MDT 
Created attachment 398 [details]
Fix for negated commands in sudo -l

Please try the following patch against sudo 1.8.3p2 if possible.
Comment 2 Todd C. Miller 2014-03-13 18:34:21 MDT 
Fixed in sudo 1.8.10p1, available now.
First Last Prev Next    This bug is not in your last search results.