Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarification in man page around command comma-list parsing #184

Closed
aayla-secura opened this issue Oct 6, 2022 · 4 comments
Closed

Clarification in man page around command comma-list parsing #184

aayla-secura opened this issue Oct 6, 2022 · 4 comments

Comments

@aayla-secura
Copy link

aayla-secura commented Oct 6, 2022
edited
Loading

The man page says:

Once a tag is set on a Cmnd, subsequent Cmnds in the
Cmnd_Spec_List, inherit the tag unless it is overridden by the opposite tag (in other words, PASSWD overrides
NOPASSWD and NOEXEC overrides EXEC).

And defines a Cmnd_Spec_List as a comma-separated list of Cmnd_Spec, and Cmnd_Spec including an optional Runas_Spec. It sounds like in the following entry:

test ALL = (root) NOPASSWD: /bin/ls, (nobody) /usr/bin/id

the id Cmnd_Spec should inherit the NOPASSWD tag, but in fact it doesn't. The tag is inherited only if subsequent Cmnds in the list don't include a Runas_Spec, e.g. the following cases:

test ALL = (root) NOPASSWD: /bin/ls, ROLE=selinux /usr/bin/id
test ALL = (root) NOPASSWD: /bin/ls, MAIL: /usr/bin/id
test ALL = (root) NOPASSWD: /bin/ls, /usr/bin/id

Is this intended or a bug? If intended, the man page should state it.

The same applies to the propagation/inheritance of Selinux specifications.
@millert
Copy link
Collaborator

millert commented Oct 6, 2022

I can't reproduce this, the NOPASSWD tags gets inherited with your first example. There does appear to be a bug in the sudo -l output but sudo -ll shows the correct information and sudo does not require a password for sudo -u nobody /usr/bin/id

millert added a commit that referenced this issue Oct 6, 2022
@millert
Fix display of command tags and options in "sudo -l" when RunAs changes.
af83e3c 
A new line is started when RunAs changes which means we need to display
the command tags and options again.  GitHub issue #184
@aayla-secura
Copy link
Author

Interesting. v1.9.9 definitely requires a password for id:

$ sudo -ll
Matching Defaults entries for test on ip-172-31-44-38:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User test may run the following commands on ip-172-31-44-38:

Sudoers entry:
    RunAsUsers: root
    Options: !authenticate
    Commands:
        /bin/ls

Sudoers entry:
    RunAsUsers: nobody
    Options: !authenticate
    Commands:
        /usr/bin/id

ls requires no password:

$ sudo ls

id does:

$ which id
/usr/bin/id
$ sudo id
[sudo] password for test:
sudo: a password is required
$ ^C

$ sudo --version
Sudo version 1.9.9
Sudoers policy plugin version 1.9.9
Sudoers file grammar version 48
Sudoers I/O plugin version 1.9.9
Sudoers audit plugin version 1.9.9

@millert
Copy link
Collaborator

millert commented Oct 7, 2022

That is because you are trying to run id as root, not nobody. If you run sudo -u nobody id it will not prompt for a password.

@aayla-secura
Copy link
Author

That is because you are trying to run id as root, not nobody. If you run sudo -u nobody id it will not prompt for a password.

Oh boy, you're right, my bad :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@millert @aayla-secura