[sudo-users] Sudo with directory allows .. to be added. How do I avoid this.

highc at stny.rr.com highc at stny.rr.com
Sat Nov 20 09:52:45 EST 2010

On 11/19/2010 2:13 PM, Richard van den Berg wrote:
> On 19-11-10 18:52 , Art A wrote:
 >> %mygrp ALL=sudoedit /var/opt/perf/*
 >> -----
 >> this works
 >> sudo -e /var/opt/perf/perfd.ini
 >> This also works: (app-defaults is a subdirectory)
 >> sudo -e /var/opt/perf/app-defaults/../../../../etc/passwd
 >> So my question is how can I allow someone to edit any file in a 
directory without putting every file in the sudoers. I have read the 
documentation and tried [!.] but it didn't work for me.  What I would 
settle on is a why to say any pattern without a '..' in it is valid.
> Try this:
> !sudoedit /var/opt/perf/*..*
> I don't know exactly how to sudoedit works with ! negation, but the above works for other commands.
> Regards,
> Richard
First a caution, you have only noticed one of a few possible exploits 
that is created when you specify a wild card on a parameter.

I will not state it is possible to allow wild cards without allowing 
some form of exploit.  And not all the exploits will exist solely based 
on the forms and blockages you code in sudoers.  Having so cautioned; if 
a team 'insists' they must have wild cards in their parameter list, the 
'standard' blocks I code for them is:
!/usr/bin/view *[\:space\:]/* *,!/usr/bin/view *..*, !/usr/bin/view *./*
(replase the fully qualified name with sudoedit or whatever other 
-single file as parameter- command you need to allow.  The item with 
'space' in it is to prevent the following:
sudo -e /var/opt/perf/perfd.ini /any/directory/any/file
The entry with .. is to block the exploit you noticed.  The ./ entry is 
actually more intended to protect against some exploits which are 
possible when some specific coding within the parm is present... and I 
don't have my references handy to resurrect exactly what they were, I 
have simply mandated the need to code the parm within my 'area of control'.

The other thing you will want to be -very- careful about is the 
permissions on
If allow the person you are granting sudoedit authority to the ability 
to create files in that directory, they can create symlinks to any file 
on the system, and thereby modify any file on the system.

There may be other pitfalls easy to get trapped in; but these are the 
ones I've noticed.  The only 100% solution I know of is to require each 
parm to be specifically coded; however, the above mitigates the risk to 
some degree.

More information about the sudo-users mailing list