[sudo-users] A question on the same formatted glob, working differently between users
Jore
community at thoughtmaybe.com
Wed Aug 30 09:52:26 MDT 2023
Hi there,
On a default Ubuntu 22.04.2 LTS server, with sudo version 1.9.9, I have
the following sudoers file set up for a user called 'test':
# test user can manage a php cli tool, run as as nginx user
test ALL = (www-data) NOPASSWD: /usr/bin/php /var/www/example/artisan *
which allows:
test at example $ sudo -u www-data php /var/www/example/artisan foo
bar args
PHP SCRIPT RUNS...
but rightly not:
test at example $ sudo -u www-data php /var/www/example/artisan
[sudo] password for test:
(i.e. note the no args).
However, if the following (unsafe) line is added to run say the acme.sh
script as root:
test ALL = NOPASSWD: /root/.acme/acme.sh *
running this as test user (i.e. without any args)
test at example $ /root/.acme/acme.sh
SCRIPT RUNS...
works without prompting for password, when it maybe shoudn't? i.e. there
is a space before the asterisk in the sudoers that is respected with the
above line with the 'www-data' rule, but it has different behaviour for
the root acme.sh script.
Why does this happen?
At first I thought it might be because of differing `shopt` settings
between root user and non-root users, but that ended up being confusing
because 'extglob' is set to 'on' for non-root users, while it is 'off'
for root; and neither user has 'nullglob' set to 'on' either. So I'm
assuming that the globbing in sudoers isn't handled by the shell at all?
Or something else is happening?
So, disregarding the root line in this example is unsafe (because I
recognise the asterisk can expand to anything), why does the behaviour
with the same sudoers syntax differ?
Thanks,
Jore
More information about the sudo-users
mailing list