[sudo-users] FYI: sudoers entries now don't work through symbolic links
Todd C. Miller
Todd.Miller at sudo.ws
Sun Jan 7 09:42:26 MST 2024
On Sun, 07 Jan 2024 23:08:52 +1300, John Little via sudo-users wrote:
> I haven't changed my sudoers set up for several years, but after release
> upgrading to Ubuntu 23.10, sudo 1.9.14p2, a couple of entries stopped
> working.
>
> For example, in /etc/suders.d/btrfs I had
>
> john ALL=(ALL) NOPASSWD:/bin/btrfs*
>
> /bin on Ubuntu, and IIRC debian-derived distros, has always a symbolic
> link to /usr/bin, or at least for over a decade. Changing the entry to
>
> john ALL=(ALL) NOPASSWD:/usr/bin/btrfs*
>
> and it works fine. sudoers(5) describes the FOLLOW tag, but it only
> seems to apply to sudoedit. There's no other mention of symbolic links.
>
> I had the impression that /bin is the canonical place for exceutables;
> that's why we put /bin/bash in "shwbangs".
This bug was fixed in sudo 1.9.15p3. Sudo 1.9.14 started to
canonicalize path name (using realpath) where possible, but there
was a bug that prevented canonicalized paths with wildcards from
being compared properly. This is the same root cause as bug #1062.
- todd
More information about the sudo-users
mailing list