[Bug 1174123] Re: sudo/sudoers ignores command argument quoting

[Marc Deslauriers]

Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug.  I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1174123

Title:
  sudo/sudoers ignores command argument quoting

Status in “sudo” package in Ubuntu:
  New

Bug description:
  In sudoers I have:

          mai ALL=(root) NOPASSWD: /usr/bin/sux warcraft $HOME/run_roc

  When I run:

          sudo sux warcraft '$HOME/run_roc'

  Warcraft starts up correctly, without needing a password, as the
  warcraft user:

  	mai at mini:~$ sudo sux warcraft '$HOME/run_roc'
  	wine: cannot find L"C:\\windows\\system32\\winemenubuilder.exe"
  	# more wine warnings... warcraft starts

  However if I rearrange the single quotes...

  	mai at mini:~$ sudo sux 'warcraft $HOME/run_roc'
  	warcraft at mini:/home/mai$ 

  I get a shell for warcraft...

  sudo seems to match commands in sudoers as if the arguments are not
  quoted, allowing users to run commands that they should be prevented
  from running. This could lead to users gaining extra privileges or in
  some way damaging the system.

  Ubuntu 12.04.2 LTS
  sudo version 1.8.3p1-1ubuntu3.4

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1174123/+subscriptions