[sudo-users] A question on the same formatted glob, working differently between users
Todd C. Miller
Todd.Miller at sudo.ws
Wed Aug 30 10:11:54 MDT 2023
On Thu, 31 Aug 2023 01:52:26 +1000, Jore wrote:
> However, if the following (unsafe) line is added to run say the acme.sh
> script as root:
>
> test ALL = NOPASSWD: /root/.acme/acme.sh *
>
> running this as test user (i.e. without any args)
>
> test at example $ /root/.acme/acme.sh
> SCRIPT RUNS...
>
> works without prompting for password, when it maybe shoudn't? i.e. there
> is a space before the asterisk in the sudoers that is respected with the
> above line with the 'www-data' rule, but it has different behaviour for
> the root acme.sh script.
This happens because the command and its arguments are matched as
separate strings. So in this case, first /root/.acme/acme.sh is
matched and then the * matches any arguments. Since * means zero
or more arguments you can run /root/.acme/acme.sh with or without
args.
- todd
More information about the sudo-users
mailing list