Bugzilla – Bug 640
uid match not working in sudoers file
Last modified: 2014-05-07 13:19:47 MDT
I'm having a problem using a numeric userid match in the sudoers file. I have the following in my sudoers file: User_Alias testuid = "#1000" testuid ALL=(ALL) NOPASSWD: /usr/bin/id However my user with uid 1000 is not allowed to run the command, its not listed in sudo -l After turning on sudo_debug and digging a bit through the sources I came across something odd in http://www.sudo.ws/repos/sudo/file/8cfb205831dc/plugins/sudoers/match.c on line 805: 803 if (pw != NULL && *sudoers_user == '#') { 804 uid = (uid_t) atoid(sudoers_user + 1, NULL, NULL, &errstr); 805 if (errstr != NULL && uid == pw->pw_uid) { 806 rc = true; 807 goto done; 808 } If errstr is set then we compare the result of atoid with the uid? Ive looked at the atoid function and this seems to set errstr to NULL when there are no errors, so I'm thinking this check shoud be 'errstr == NULL'? After changeing it to == NULL the numeric uid match in sudoers file works. A similar issue exists for groups on line 831: 831 gid = (gid_t) atoid(sudoers_group + 1, NULL, NULL, &errstr); However a quick test with "%#1000" seems to not hit this function (usergr_matches() instead) and numeric gid thus works.
Created attachment 402 [details] Fix for uid and gid matching in sudoers Your are correct, the code should be checking for errstr == NULL for a successful match. The attached patch is what I am going to commit, along with some unit tests for the issue.
Fixed in sudo 1.8.10p3