Bugzilla – Bug 691
Manpage: specify explicitly that a wildcard can match across many command line parameters
Last modified: 2015-11-01 15:29:56 MST
Hello, sudoers has quite a peculiar way of using wildcards. Contrary to my predictions, it turned out that wildcards can match across many command line parameters. However, it isn't specified in the manual at all and can cause security issues. Let's take one of the examples from the manual: pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root If passwd could be invoked like: passwd user1 root the above stanza could introduce a security issue. Fortunately at least passwd from coreutils does not work that way. This should be clearly and visibly (e.g. in bold) documented in the man page in the section "Wildcards" and in section "EXAMPLES" in the description of the example that uses wildcards.
The manual states: Wildcards in command line arguments should be used with care. Because command line arguments are matched as a single, concatenated string, a wildcard such as ‘?’ or ‘*’ can match multiple words. For example, while a sudoers entry like: %operator ALL = /bin/cat /var/log/messages* will allow command like: $ sudo cat /var/log/messages.1 It will also allow: $ sudo cat /var/log/messages /etc/shadow which is probably not what was intended. Also, for the passwd example there is already the following text: Note that this assumes passwd(1) does not take multiple user names on the command line. I've added some emphasis to try and help make the point but there's only so much I can do if people don't read the text that's there. See http://www.sudo.ws/repos/sudo/rev/54d793aea6b2
Fixed in sudo 1.8.15