Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cvtsudoers outputs invalid JSON (duplicate sha256 key) #370

Closed
es-fabricemarie opened this issue Apr 25, 2024 · 1 comment
Closed

cvtsudoers outputs invalid JSON (duplicate sha256 key) #370

es-fabricemarie opened this issue Apr 25, 2024 · 1 comment

Comments

@es-fabricemarie
Copy link

Using the following sudoers file in /etc/sudoers.d/test5:

Cmnd_Alias SH_TEST = sha256:hOtoe/iK6SlGg7w4BfZBBdSsXjUmTJ5+ts51yjh7vkM=, \
sha256:1IXHRCxXgSnIEnb+xBz4PAfWaPdXIBWKFF0QCwxJ5G4= /bin/sh
Cmnd_Alias EDIT = sudoedit /etc/motd

Using the command:

cvtsudoers --defaults=all --output-format=JSON --input-format=SUDOERS --output=- /etc/sudoers.d/test5

We get the following invalid JSON output:

{
    "Command_Aliases": {
        "EDIT": [
            { "command": "sudoedit /etc/motd" }
        ],
        "SH_TEST": [
            {
                "command": "/bin/sh",
                "sha256": "hOtoe/iK6SlGg7w4BfZBBdSsXjUmTJ5+ts51yjh7vkM=",
                "sha256": "1IXHRCxXgSnIEnb+xBz4PAfWaPdXIBWKFF0QCwxJ5G4="
            }
        ]
    }
}

The issue here is the duplicated sha256 key in the dict/hash. Potential results of parsing this with various library are:

  • parsing exception outright ("duplicated key")
  • loss of the first sha256 sum (the last one simply overwriting the first one)

Instead, it should probably output this:

{
    "Command_Aliases": {
        "EDIT": [
            { "command": "sudoedit /etc/motd" }
        ],
        "SH_TEST": [
            {
                "command": "/bin/sh",
                "sha256": [
                    "hOtoe/iK6SlGg7w4BfZBBdSsXjUmTJ5+ts51yjh7vkM=",
                    "1IXHRCxXgSnIEnb+xBz4PAfWaPdXIBWKFF0QCwxJ5G4="
                ]
            }
        ]
    }
}

I haven't tested other checksums, but the rest of them probably have the same issue.
millert added a commit that referenced this issue Apr 25, 2024
@millert
Store mulitple command digests of the same type as an array.
c429220 
Otherwise, we end up with duplicated keys in the object.
GitHub issue #370
@millert
Copy link
Collaborator

millert commented Apr 25, 2024

Yes, that makes sense. I've made that change in c429220. This no longer preserves the order of the digests but I don't think that is a problem as the order doesn't really matter.

@millert millert closed this as completed Apr 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@millert @es-fabricemarie