[sudo-users] sudoedit being fully qualified

Paul Cantle Paul at cantle.me
Fri Jan 7 07:58:27 MST 2022


I’m aware that sudoedit is a “built-in command” and when used in sudoers it is to be specified without a leading / (i.e. not /usr/bin/sudoedit) ~ https://www.sudo.ws/docs/man/sudoers.man/

In the manual above, it suggests that “if a leading path is present, for example, /usr/bin/sudoedit, the path name will silently be converted to ‘sudoedit’”.

However, *if* (perhaps by error), an administrator *does* add the full path to sudoedit in /etc/sudoers (or the sudoers.d/ equivalent), it allows root execution. Would it not be better to prevent it altogether or throw a syntax error when sudoedit was specified with a full path?

For Example (my test user is called “base”) if sudoers looks like this:

base ALL = sudoedit /bin/blah

Then base can execute “sudoedit /bin/blah”, but it CAN’T execute “sudo sudoedit /bin/blah”  - So all good and correct.

If however, an error is made (but syntactically it’s fine) and this is the sudoers entry

base ALL = /usr/bin/sudoedit /bin/blah

Then the user is able to execute “sudo sudoedit /bin/blah” – Not good.

As it then uses root’s environment, etc instead of base’s, and shelling out (:sh) provides a root shell.

I totally understand that administrators need to be careful when dishing out permissions via sudo, but think this is a relatively easy mistake to make (seeing as most other commands require a fully qualified path before they can be executed via sudo).

Could this be prevented in some way (within sudo itself, I mean)?



More information about the sudo-users mailing list