A flaw exists in sudo versions 1.7.0 to 1.7.2p1 that caused the negation operator to have no effect when used in a Cmnd_Alias.
1.7.0 through 1.7.2p1 inclusive.
Sudo uses the
Cmnd_Alias syntax for named groups of commands
sudoers file. The
Cmnd_Alias is expanded
when command matching is performed as sudo checks whether
a user is allowed to run a particular command.
There is a flaw in the code that matches lists of commands where
the negation operator was applied twice. This can result in a
command being allowed that was intended to be explicitly disallowed.
For example, give the following
sudoers file fragment:
Cmnd_Alias PASSWORD = /usr/bin/passwd [A-Za-z0-9]*, !/usr/bin/passwd root, !/usr/bin/passwd ""
millert ALL = PASSWORD
User millert should not be allowed to change root’s password.
However, due to the bug, running either
sudo password root
sudo password would succeed.
Users that should be allowed to run a limited set of commands may be able to run unauthorized commands.
The bug is fixed in sudo 1.7.2p2.