[Bug 1853895] [NEW] Entries in sudoers files that include * do not behave like shell globs
ed
1853895 at bugs.launchpad.net
Mon Nov 25 19:39:14 UTC 2019
Public bug reported:
When mistakenly used in the argument list it can expand to protected
content, such as /etc/shadow. Most users do not expect this.
The following example will permit 'username' to read /etc/shadow as the
* character accepts any character and spaces.
username ALL=(ALL) /bin/cat /var/log/messages*
The patch adds the following style of argument matching that can
restrict the sudoers arguments to regex, thus allowing for additional
common logrotate suffixes.
username ALL = (ALL) /bin/cat m{/var/log/messages(\.[0-9]+|-[0-9]+)?$}
This improves the security stance of sudoers entries through tight regex
matches which most administrators are familiar with.
Changes are in <https://github.com/edneville/sudo>, viewable as
<https://github.com/sudo-project/sudo/compare/master...edneville:master>
** Affects: sudo (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1853895
Title:
Entries in sudoers files that include * do not behave like shell globs
Status in sudo package in Ubuntu:
New
Bug description:
When mistakenly used in the argument list it can expand to protected
content, such as /etc/shadow. Most users do not expect this.
The following example will permit 'username' to read /etc/shadow as
the * character accepts any character and spaces.
username ALL=(ALL) /bin/cat /var/log/messages*
The patch adds the following style of argument matching that can
restrict the sudoers arguments to regex, thus allowing for additional
common logrotate suffixes.
username ALL = (ALL) /bin/cat
m{/var/log/messages(\.[0-9]+|-[0-9]+)?$}
This improves the security stance of sudoers entries through tight
regex matches which most administrators are familiar with.
Changes are in <https://github.com/edneville/sudo>, viewable as
<https://github.com/sudo-
project/sudo/compare/master...edneville:master>
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1853895/+subscriptions
More information about the foundations-bugs
mailing list