[Touch-packages] [Bug 1853895] [NEW] Entries in sudoers files that include * do not behave like shell globs

Mon, 25 Nov 2019 11:45:46 -0800 

Public bug reported:

When mistakenly used in the argument list it can expand to protected
content, such as /etc/shadow. Most users do not expect this.

The following example will permit 'username' to read /etc/shadow as the
* character accepts any character and spaces.

  username ALL=(ALL) /bin/cat /var/log/messages*

The patch adds the following style of argument matching that can
restrict the sudoers arguments to regex, thus allowing for additional
common logrotate suffixes.

  username ALL = (ALL) /bin/cat m{/var/log/messages(\.[0-9]+|-[0-9]+)?$}

This improves the security stance of sudoers entries through tight regex
matches which most administrators are familiar with.

Changes are in <https://github.com/edneville/sudo>, viewable as
<https://github.com/sudo-project/sudo/compare/master...edneville:master>

** Affects: sudo (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/1853895

Title:
  Entries in sudoers files that include * do not behave like shell globs

Status in sudo package in Ubuntu:
  New

Bug description:
  When mistakenly used in the argument list it can expand to protected
  content, such as /etc/shadow. Most users do not expect this.

  The following example will permit 'username' to read /etc/shadow as
  the * character accepts any character and spaces.

    username ALL=(ALL) /bin/cat /var/log/messages*

  The patch adds the following style of argument matching that can
  restrict the sudoers arguments to regex, thus allowing for additional
  common logrotate suffixes.

    username ALL = (ALL) /bin/cat
  m{/var/log/messages(\.[0-9]+|-[0-9]+)?$}

  This improves the security stance of sudoers entries through tight
  regex matches which most administrators are familiar with.

  Changes are in <https://github.com/edneville/sudo>, viewable as
  <https://github.com/sudo-
  project/sudo/compare/master...edneville:master>

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1853895/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to