[sudo-users] A question on the same formatted glob, working differently between users

[Jore]

Hi there,

On a default Ubuntu 22.04.2 LTS server, with sudo version 1.9.9, I have 
the following sudoers file set up for a user called 'test':

     # test user can manage a php cli tool, run as as nginx user
     test ALL = (www-data) NOPASSWD: /usr/bin/php /var/www/example/artisan *

which allows:

     test at example $ sudo -u www-data php /var/www/example/artisan foo 
bar args
     PHP SCRIPT RUNS...

but rightly not:

     test at example $ sudo -u www-data php /var/www/example/artisan
     [sudo] password for test:

(i.e. note the no args).


However, if the following (unsafe) line is added to run say the acme.sh 
script as root:

     test ALL = NOPASSWD: /root/.acme/acme.sh *

running this as test user (i.e. without any args)

     test at example $ /root/.acme/acme.sh
     SCRIPT RUNS...

works without prompting for password, when it maybe shoudn't? i.e. there 
is a space before the asterisk in the sudoers that is respected with the 
above line with the 'www-data' rule, but it has different behaviour for 
the root acme.sh script.

Why does this happen?

At first I thought it might be because of differing `shopt` settings 
between root user and non-root users, but that ended up being confusing 
because 'extglob' is set to 'on' for non-root users, while it is 'off' 
for root; and neither user has 'nullglob' set to 'on' either. So I'm 
assuming that the globbing in sudoers isn't handled by the shell at all? 
Or something else is happening?

So, disregarding the root line in this example is unsafe (because I 
recognise the asterisk can expand to anything), why does the behaviour 
with the same sudoers syntax differ?

Thanks,
Jore