[sudo-users] path expansion
Aaron Spangler
as at insight.rr.com
Sun Aug 1 23:19:50 EDT 2004
I tried the same test on sudo 1.5.1 (cu version, Sep 1996) and had the
same results.
Apparently this has been the behavior for some time.
- Aaron
Aaron Spangler wrote:
> This is what I found so far: (Testing on Knoppix/Debian Linux using
> latest Sudo)
>
> # cat /etc/sudoers
> user ALL=(root) /bin/df
>
> user$ sudo /bin/df #works
> user$ sudo df #works since /bin is in path
> user$ cd /bin; sudo ./df # fails even though it probably should not
>
> My theory is that things with a partial path are treated as a full
> path and thus not matched. This also should means (horrifically) that
> say !/bin/sh is in /etc/sudoers and the person simply does cd /bin;
> sudo ./sh would not prevent the user from getting a shell.
>
> # cat /etc/sudoers
> user ALL=(root) ALL,!/bin/sh
>
> user$ sudo df #works as it should
> user$ sudo /bin/sh # fails as it should
> user$ cd /bin; sudo ./sh # OUCH - works, though it should fail
>
> I'll try the same tests it against a much older sudo.
>
> -Aaron
>
>
> Galen Johnson wrote:
>
>> Yes it does. I thought that maybe it had to do with the path but
>> even after I added it to my path I get the same thing. Strange thing
>> is it doesn't seem to be entirely consistant. I mistakenly typed a
>> cat command and it showed '/bin/cat /etc/sudoers' as not being
>> allowed (at least the error expanded the path if nothing else).
>>
>> I verified this by
>>
>> cd /usr/local/sbin
>> sudo -u root ./visudo
>>
>> I'd be very surprised if this behavior was exhibited on a different
>> OS (not HPUX IPF 11.23) but I can't check that at the moment.
>>
>> =G=
>>
>> -----Original Message-----
>> From: Todd C. Miller [mailto:Todd.Miller at courtesan.com] Sent:
>> Saturday, July 31, 2004 5:57 PM
>> To: Galen Johnson
>> Cc: sudo-users at sudo.ws
>> Subject: Re: [sudo-users] path expansion
>> That's definately unexpected behavior, if you cvan check whether
>> this happens with the release candidate that would be useful.
>>
>> - todd
>>
>> ____________________________________________________________
>> sudo-users mailing list <sudo-users at sudo.ws>
>> For list information, options, or to unsubscribe, visit:
>> http://www.sudo.ws/mailman/listinfo/sudo-users
>>
>>
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list