Re: sudo and globbing

2016-01-08 Thread Jiri B 
On Fri, Jan 08, 2016 at 12:04:15PM +0200, Alexey Kurinnij wrote:
> And what about difference? Explain please.
> 
> > > I discovered an article about sudo and globbing[1] and
> > > there's difference how it does work on Linux and OpenBSD.
> >
> > http://zurlinux.com/?p=2244
> >
> > > - openbsd
> > >
> > > # su -s /usr/local/bin/bash - nobody
> > > No home directory /nonexistent!
> > > Logging in with home = "/".
> > > -bash-4.3$ sudo bash -c "ls -l /var/tor/cache*"
> > > -rw---  1 _tor  _tor20442 Dec 10 11:32 /var/tor/cached-certs
> > > -rw---  1 _tor  _tor  1409287 Jan  7 15:56
> > /var/tor/cached-microdesc-consensus
> > > -rw---  1 _tor  _tor  5107307 Jan  7 17:23 /var/tor/cached-microdescs
> > > -rw---  1 _tor  _tor0 Jan  7 17:23
> > /var/tor/cached-microdescs.new
> > > -bash-4.3$ sudo -s bash -c "ls -l /var/tor/cache*"
> > > .cshrc   .profile altroot  bin  bsd  bsd.rd   bsd.sp   dev
> > etc  home mnt  root sbin sys  tftpboot tmp
> > usr  var

^^^ here '*' gets expanded inside original user's shell.

> > > - linux
> > >
> > > [root@slot-1 ~]# su -s /bin/bash nobody
> > > bash-4.2$ sudo bash -c "ls -l /var/cache/ldconfig/aux*"
> > > -rw---. 1 root root 26470 Dec 22 17:52 /var/cache/ldconfig/aux-cache
> > > bash-4.2$ sudo -s bash -c "ls -l /var/cache/ldconfig/aux*"
> > > -rw---. 1 root root 26470 Dec 22 17:52 /var/cache/ldconfig/aux-cache

^^^ here '*' gets expanded probably later, as original user does
not have access to /var/cache/ldconfig at all.

In both cases original user does not have access to /var/tor, respecively
to /var/cache/ldconfig.

So the question is: why does same command on equally "restricted" dir
path gets different output - why on openbsd does '*' get expanded
immediatelly but on linux is it taken into account somehow by sudo (?)...

j.

Re: sudo and globbing

2016-01-08 Thread Peter Hessler 
On 2016 Jan 08 (Fri) at 05:52:32 -0500 (-0500), Jiri B wrote:
:On Fri, Jan 08, 2016 at 12:04:15PM +0200, Alexey Kurinnij wrote:
:> And what about difference? Explain please.
:> 
:> > > I discovered an article about sudo and globbing[1] and
:> > > there's difference how it does work on Linux and OpenBSD.
:> >
:> > http://zurlinux.com/?p=2244
:> >
:> > > - openbsd
:> > >
:> > > # su -s /usr/local/bin/bash - nobody
:> > > No home directory /nonexistent!
:> > > Logging in with home = "/".
:> > > -bash-4.3$ sudo bash -c "ls -l /var/tor/cache*"
:> > > -rw---  1 _tor  _tor20442 Dec 10 11:32 /var/tor/cached-certs
:> > > -rw---  1 _tor  _tor  1409287 Jan  7 15:56
:> > /var/tor/cached-microdesc-consensus
:> > > -rw---  1 _tor  _tor  5107307 Jan  7 17:23 /var/tor/cached-microdescs
:> > > -rw---  1 _tor  _tor0 Jan  7 17:23
:> > /var/tor/cached-microdescs.new
:> > > -bash-4.3$ sudo -s bash -c "ls -l /var/tor/cache*"
:> > > .cshrc   .profile altroot  bin  bsd  bsd.rd   bsd.sp   dev
:> > etc  home mnt  root sbin sys  tftpboot tmp
:> > usr  var
:
:^^^ here '*' gets expanded inside original user's shell.
:
:> > > - linux
:> > >
:> > > [root@slot-1 ~]# su -s /bin/bash nobody
:> > > bash-4.2$ sudo bash -c "ls -l /var/cache/ldconfig/aux*"
:> > > -rw---. 1 root root 26470 Dec 22 17:52 /var/cache/ldconfig/aux-cache
:> > > bash-4.2$ sudo -s bash -c "ls -l /var/cache/ldconfig/aux*"
:> > > -rw---. 1 root root 26470 Dec 22 17:52 /var/cache/ldconfig/aux-cache
:
:^^^ here '*' gets expanded probably later, as original user does
:not have access to /var/cache/ldconfig at all.
:
:In both cases original user does not have access to /var/tor, respecively
:to /var/cache/ldconfig.
:
:So the question is: why does same command on equally "restricted" dir
:path gets different output - why on openbsd does '*' get expanded
:immediatelly but on linux is it taken into account somehow by sudo (?)...
:
:j.
:

$ ls -l /var/spool/smtpd/* | head 
ls: /var/spool/smtpd/*: No such file or directory
$ ls -l /var/spool/smtpd  
ls: smtpd: Permission denied
$ doas bash -c "ls -l /var/spool/smtpd/*" | head 
/var/spool/smtpd/corrupt:

/var/spool/smtpd/incoming:

/var/spool/smtpd/offline:

/var/spool/smtpd/purge:
total 352
drwx--  2 _smtpq  wheel  512 Jan 14  2015 1040272804
drwx--  2 _smtpq  wheel  512 Jan 14  2015 1056615683
$ sudo bash -c "ls -l /var/spool/smtpd/*" | head 
/var/spool/smtpd/corrupt:

/var/spool/smtpd/incoming:

/var/spool/smtpd/offline:

/var/spool/smtpd/purge:
total 352
drwx--  2 _smtpq  wheel  512 Jan 14  2015 1040272804
drwx--  2 _smtpq  wheel  512 Jan 14  2015 1056615683
$ uname -a
OpenBSD dante.berlin.hsgate.de 5.9 GENERIC.MP#2 amd64


I can't reproduce your failure on -current.  I'm assuming there was some
spaces or quotation failures when you generated your example.


-- 
"A radioactive cat has eighteen half-lives."

Re: sudo and globbing

2016-01-08 Thread Eric Furman 
There are so many differences between Linux and every other flavour of
UNIX;
like OpenBSD, AIX, Solaris, etc, that WTF is your point??
Really?
What about Gnu's Not UNIX don't you get?
This crap is just trolling, IMHO.

On Fri, Jan 8, 2016, at 09:27 AM, Alexander Hall wrote:
> On January 8, 2016 11:52:32 AM GMT+01:00, Jiri B <ji...@devio.us> wrote:
> >On Fri, Jan 08, 2016 at 12:04:15PM +0200, Alexey Kurinnij wrote:
> >> And what about difference? Explain please.
> >> 
> >> > > I discovered an article about sudo and globbing[1] and
> >> > > there's difference how it does work on Linux and OpenBSD.
> >> >
> >> > http://zurlinux.com/?p=2244
> >> >
> >> > > - openbsd
> >> > >
> >> > > # su -s /usr/local/bin/bash - nobody
> >> > > No home directory /nonexistent!
> >> > > Logging in with home = "/".
> >> > > -bash-4.3$ sudo bash -c "ls -l /var/tor/cache*"
> >> > > -rw---  1 _tor  _tor20442 Dec 10 11:32
> >/var/tor/cached-certs
> >> > > -rw---  1 _tor  _tor  1409287 Jan  7 15:56
> >> > /var/tor/cached-microdesc-consensus
> >> > > -rw---  1 _tor  _tor  5107307 Jan  7 17:23
> >/var/tor/cached-microdescs
> >> > > -rw---  1 _tor  _tor0 Jan  7 17:23
> >> > /var/tor/cached-microdescs.new
> >> > > -bash-4.3$ sudo -s bash -c "ls -l /var/tor/cache*"
> >> > > .cshrc   .profile altroot  bin  bsd  bsd.rd   bsd.sp  
> >dev
> >> > etc  home mnt  root sbin sys  tftpboot tmp
> >> > usr  var
> >
> >^^^ here '*' gets expanded inside original user's shell.
> 
> I see no way that glob would result in the contents of the root
> directory. 
> 
> Here's my guess: everything after -s is concatenated and whitespace
> separated, effectively turning the example into 
> 
> bash -c ls -l /var/tor/cache*
> 
> Thus, start bash and ask it to run "ls". Also pass "-l" and
> /var/tor/cache* as $0, $1... The latter of which is pretty pointless. 
> 
> Thus could be a matter of different default configurations between $LINUX
> and openbsd. 
> 
> /Alexander 
> 
> >
> >> > > - linux
> >> > >
> >> > > [root@slot-1 ~]# su -s /bin/bash nobody
> >> > > bash-4.2$ sudo bash -c "ls -l /var/cache/ldconfig/aux*"
> >> > > -rw---. 1 root root 26470 Dec 22 17:52
> >/var/cache/ldconfig/aux-cache
> >> > > bash-4.2$ sudo -s bash -c "ls -l /var/cache/ldconfig/aux*"
> >> > > -rw---. 1 root root 26470 Dec 22 17:52
> >/var/cache/ldconfig/aux-cache
> >
> >^^^ here '*' gets expanded probably later, as original user does
> >not have access to /var/cache/ldconfig at all.
> >
> >In both cases original user does not have access to /var/tor,
> >respecively
> >to /var/cache/ldconfig.
> >
> >So the question is: why does same command on equally "restricted" dir
> >path gets different output - why on openbsd does '*' get expanded
> >immediatelly but on linux is it taken into account somehow by sudo
> >(?)...
> >
> >j.

Re: sudo and globbing

2016-01-08 Thread Alexey Kurinnij 
And what about difference? Explain please.

On Thu, Jan 7, 2016 at 7:03 PM, Jiri B <ji...@devio.us> wrote:

> On Thu, Jan 07, 2016 at 11:43:14AM -0500, Jiri B wrote:
> > I discovered an article about sudo and globbing[1] and
> > there's difference how it does work on Linux and OpenBSD.
>
> I forgot to put the url
>
> http://zurlinux.com/?p=2244
>
> > - openbsd
> >
> > # su -s /usr/local/bin/bash - nobody
> > No home directory /nonexistent!
> > Logging in with home = "/".
> > -bash-4.3$ sudo bash -c "ls -l /var/tor/cache*"
> > -rw---  1 _tor  _tor20442 Dec 10 11:32 /var/tor/cached-certs
> > -rw---  1 _tor  _tor  1409287 Jan  7 15:56
> /var/tor/cached-microdesc-consensus
> > -rw---  1 _tor  _tor  5107307 Jan  7 17:23 /var/tor/cached-microdescs
> > -rw---  1 _tor  _tor0 Jan  7 17:23
> /var/tor/cached-microdescs.new
> > -bash-4.3$ sudo -s bash -c "ls -l /var/tor/cache*"
> > .cshrc   .profile altroot  bin  bsd  bsd.rd   bsd.sp   dev
> etc  home mnt  root sbin sys  tftpboot tmp
> usr  var
> >
> > - linux
> >
> > [root@slot-1 ~]# su -s /bin/bash nobody
> > bash-4.2$ exit
> > [root@slot-1 ~]# visudo
> > [root@slot-1 ~]# su -s /bin/bash nobody
> > bash-4.2$ sudo bash -c "ls -l /var/cache/ldconfig/aux*"
> > -rw---. 1 root root 26470 Dec 22 17:52 /var/cache/ldconfig/aux-cache
> > bash-4.2$ sudo -s bash -c "ls -l /var/cache/ldconfig/aux*"
> > -rw---. 1 root root 26470 Dec 22 17:52 /var/cache/ldconfig/aux-cache

Re: sudo and globbing

2016-01-08 Thread Raf Czlonka 
On Thu, Jan 07, 2016 at 04:43:14PM GMT, Jiri B wrote:
> I discovered an article about sudo and globbing[1] and
> there's difference how it does work on Linux and OpenBSD.

AFAIK, globbing is done by shell and sudo doesn't take part in it.

> # su -s /usr/local/bin/bash - nobody
  ^
> [root@slot-1 ~]# su -s /bin/bash nobody
> [...]
> Could anybody explain the difference?

One thing I can see is that on OpenBSD, you run bash as a login shell
but not on Linux.

My guess is that your bash login shell options, or globbing options
between the systems in general, are the cause of the above.

Regards,

Raf

Re: sudo and globbing

2016-01-08 Thread ludovic coues 
2016-01-08 11:52 GMT+01:00 Jiri B :
>
> So the question is: why does same command on equally "restricted" dir
> path gets different output - why on openbsd does '*' get expanded
> immediatelly but on linux is it taken into account somehow by sudo (?)...
>
> j.
>

you put a dash between the shell and the user in the command on
openbsd. You didn't put that dash on linux.

Re: sudo and globbing

2016-01-08 Thread Alexander Hall 
On January 8, 2016 11:52:32 AM GMT+01:00, Jiri B <ji...@devio.us> wrote:
>On Fri, Jan 08, 2016 at 12:04:15PM +0200, Alexey Kurinnij wrote:
>> And what about difference? Explain please.
>> 
>> > > I discovered an article about sudo and globbing[1] and
>> > > there's difference how it does work on Linux and OpenBSD.
>> >
>> > http://zurlinux.com/?p=2244
>> >
>> > > - openbsd
>> > >
>> > > # su -s /usr/local/bin/bash - nobody
>> > > No home directory /nonexistent!
>> > > Logging in with home = "/".
>> > > -bash-4.3$ sudo bash -c "ls -l /var/tor/cache*"
>> > > -rw---  1 _tor  _tor20442 Dec 10 11:32
>/var/tor/cached-certs
>> > > -rw---  1 _tor  _tor  1409287 Jan  7 15:56
>> > /var/tor/cached-microdesc-consensus
>> > > -rw---  1 _tor  _tor  5107307 Jan  7 17:23
>/var/tor/cached-microdescs
>> > > -rw---  1 _tor  _tor0 Jan  7 17:23
>> > /var/tor/cached-microdescs.new
>> > > -bash-4.3$ sudo -s bash -c "ls -l /var/tor/cache*"
>> > > .cshrc   .profile altroot  bin  bsd  bsd.rd   bsd.sp  
>dev
>> > etc  home mnt  root sbin sys  tftpboot tmp
>> > usr  var
>
>^^^ here '*' gets expanded inside original user's shell.

I see no way that glob would result in the contents of the root directory. 

Here's my guess: everything after -s is concatenated and whitespace separated, 
effectively turning the example into 

bash -c ls -l /var/tor/cache*

Thus, start bash and ask it to run "ls". Also pass "-l" and /var/tor/cache* as 
$0, $1... The latter of which is pretty pointless. 

Thus could be a matter of different default configurations between $LINUX and 
openbsd. 

/Alexander 

>
>> > > - linux
>> > >
>> > > [root@slot-1 ~]# su -s /bin/bash nobody
>> > > bash-4.2$ sudo bash -c "ls -l /var/cache/ldconfig/aux*"
>> > > -rw---. 1 root root 26470 Dec 22 17:52
>/var/cache/ldconfig/aux-cache
>> > > bash-4.2$ sudo -s bash -c "ls -l /var/cache/ldconfig/aux*"
>> > > -rw---. 1 root root 26470 Dec 22 17:52
>/var/cache/ldconfig/aux-cache
>
>^^^ here '*' gets expanded probably later, as original user does
>not have access to /var/cache/ldconfig at all.
>
>In both cases original user does not have access to /var/tor,
>respecively
>to /var/cache/ldconfig.
>
>So the question is: why does same command on equally "restricted" dir
>path gets different output - why on openbsd does '*' get expanded
>immediatelly but on linux is it taken into account somehow by sudo
>(?)...
>
>j.

Re: sudo and globbing

2016-01-08 Thread Todd C. Miller 
You are comparing two very different versions of sudo.  The sudo
that used to ship with OpenBSD is version 1.7.2p8 which is rather
ancient.  On Linux you probably have some variant of sudo 1.8.x.
Newer versions of sudo escape spaces in the command run via "sudo
-s" whereas the ancient 1.7.2p8 does not.  That probably explains
the difference.

If you install sudo from ports you will get the same behavior you
see on linux.

 - todd

Re: sudo and globbing

2016-01-07 Thread Jiri B 
On Thu, Jan 07, 2016 at 11:43:14AM -0500, Jiri B wrote:
> I discovered an article about sudo and globbing[1] and
> there's difference how it does work on Linux and OpenBSD.

I forgot to put the url

http://zurlinux.com/?p=2244

> - openbsd
> 
> # su -s /usr/local/bin/bash - nobody
> No home directory /nonexistent!
> Logging in with home = "/".
> -bash-4.3$ sudo bash -c "ls -l /var/tor/cache*"
> -rw---  1 _tor  _tor20442 Dec 10 11:32 /var/tor/cached-certs
> -rw---  1 _tor  _tor  1409287 Jan  7 15:56 
> /var/tor/cached-microdesc-consensus
> -rw---  1 _tor  _tor  5107307 Jan  7 17:23 /var/tor/cached-microdescs
> -rw---  1 _tor  _tor0 Jan  7 17:23 /var/tor/cached-microdescs.new
> -bash-4.3$ sudo -s bash -c "ls -l /var/tor/cache*"
> .cshrc   .profile altroot  bin  bsd  bsd.rd   bsd.sp   dev  etc   
>home mnt  root sbin sys  tftpboot tmp  usr  var
> 
> - linux
> 
> [root@slot-1 ~]# su -s /bin/bash nobody
> bash-4.2$ exit
> [root@slot-1 ~]# visudo
> [root@slot-1 ~]# su -s /bin/bash nobody
> bash-4.2$ sudo bash -c "ls -l /var/cache/ldconfig/aux*"
> -rw---. 1 root root 26470 Dec 22 17:52 /var/cache/ldconfig/aux-cache
> bash-4.2$ sudo -s bash -c "ls -l /var/cache/ldconfig/aux*"
> -rw---. 1 root root 26470 Dec 22 17:52 /var/cache/ldconfig/aux-cache