[sudo-workers] Re: sudo 1.6.8rc2 still has NFS/root bug

Wed Jul 21 16:34:00 EDT 2004

In message <20040721180141.GA3799 at turtle.science-computing.de>
	so spake Harald Koenig (koenig):

> IMHO (if I'm not totally wrong) this desgin is _wrong_! 
> all access tests to the command path should be done 
> _always_and_only_ with PERM_RUNAS!
> 
> if runas_pw->pw_uid is 0 (root), nothing changes, and
> it it's non-zero/root, then there is no reason at all
> to run those tests with PERM_ROOT first, no matter if the
> command path is on a local fs or on NFS etc.

Yes, I think this makes sense.  The following patch uses PERM_RUNAS
while parsing sudoers.

Index: parse.c
===================================================================
RCS file: /home/cvs/courtesan/sudo/parse.c,v
retrieving revision 1.157
diff -u -r1.157 parse.c

--- parse.c	8 Jul 2004 00:15:37 -0000	1.157
+++ parse.c	21 Jul 2004 20:31:58 -0000
@@ -109,9 +109,6 @@
     int error, nopass;
     enum def_tupple pwcheck;
 
-    /* Become sudoers file owner */
-    set_perms(PERM_SUDOERS);
-
     /* We opened _PATH_SUDOERS in check_sudoers() so just rewind it. */
     rewind(sudoers_fp);
     yyin = sudoers_fp;
@@ -124,16 +121,18 @@
     if (pwflag > 0)
 	keepall = TRUE;
 
-    /* Need to be root while stat'ing things in the parser. */
-    set_perms(PERM_ROOT);
+    /* Need to be runas user while stat'ing things in the parser. */
+    set_perms(PERM_RUNAS);
     error = yyparse();
 
     /* Close the sudoers file now that we are done with it. */
     (void) fclose(sudoers_fp);
     sudoers_fp = NULL;
 
-    if (error || parse_error)
+    if (error || parse_error) {
+	set_perms(PERM_ROOT);
 	return(VALIDATE_ERROR);
+    }
 
     /*
      * The pw options may have changed during sudoers parse so we
@@ -185,6 +184,7 @@
 	    top--;
 	}
 	if (found) {
+	    set_perms(PERM_ROOT);
 	    if (nopass == -1)
 		nopass = 0;
 	    return(VALIDATE_OK | nopass);
@@ -197,6 +197,7 @@
 		    /*
 		     * User was granted access to cmnd on host as user.
 		     */
+		    set_perms(PERM_ROOT);
 		    return(VALIDATE_OK |
 			(no_passwd == TRUE ? FLAG_NOPASS : 0) |
 			(no_execve == TRUE ? FLAG_NOEXEC : 0));
@@ -205,6 +206,7 @@
 		    /*
 		     * User was explicitly denied access to cmnd on host.
 		     */
+		    set_perms(PERM_ROOT);
 		    return(VALIDATE_NOT_OK |
 			(no_passwd == TRUE ? FLAG_NOPASS : 0) |
 			(no_execve == TRUE ? FLAG_NOEXEC : 0));
@@ -213,6 +215,7 @@
 	    top--;
 	}
     }
+    set_perms(PERM_ROOT);
 
     /*
      * The user was neither explicitly granted nor denied access.
@@ -233,7 +236,7 @@
     char *path;
     char *sudoers_args;
 {
-    int plen, error;
+    int plen;
     static struct stat cst;
     struct stat pst;
     DIR *dirp;
@@ -267,15 +270,8 @@
 
     /* Only need to stat cmnd once since it never changes */
     if (cst.st_dev == 0) {
-	if ((error = stat(cmnd, &cst))) {
-	    if (runas_pw->pw_uid != 0) {
-		set_perms(PERM_RUNAS);
-		error = stat(cmnd, &cst);
-		set_perms(PERM_ROOT);
-	    }
-	    if (error)
-		return(FALSE);
-	}
+	if (stat(cmnd, &cst) == -1)
+	    return(FALSE);
 	if ((cmnd_base = strrchr(cmnd, '/')) == NULL)
 	    cmnd_base = cmnd;
 	else

