Bug 2157814

Summary: sudo not executing the calling path when using symlinks
Product: Red Hat Enterprise Linux 8 Reporter: Siddharth <sgandhi>
Component: sudoAssignee: Radovan Sroka <rsroka>
Status: CLOSED MIGRATED QA Contact: Dalibor Pospíšil <dapospis>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.7CC: dapospis
Target Milestone: rcKeywords: MigratedToJIRA, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-16 14:41:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Siddharth 2023-01-03 03:24:39 UTC 
Description of problem:
sudo not executing the calling path when using symlinks

Steps to Reproduce:
(0) [root@node ~]# mkdir dir1 dir2 common
(0) [root@node ~]# printf '#! /bin/bash\necho $0\n' > common/script
(0) [root@node ~]# chmod 700 common/script
(0) [root@node ~]# ln -s ../common/script dir1/script
(0) [root@node ~]# ln -s ../common/script dir1/script1
(0) [root@node ~]# ln -s ../common/script dir2/script
(0) [root@node ~]# ln -s ../common/script dir2/script2
(0) [root@node ~]# ls -l dir?
dir1:
total 0
lrwxrwxrwx 1 root root 16 Dec 21 09:29 script -> ../common/script
lrwxrwxrwx 1 root root 16 Dec 21 09:30 script1 -> ../common/script

dir2:
total 0
lrwxrwxrwx 1 root root 16 Dec 21 09:30 script -> ../common/script
lrwxrwxrwx 1 root root 16 Dec 21 09:30 script2 -> ../common/script
(0) [root@node ~]# /root/dir1/script
/root/dir1/script
(0) [root@node ~]# /root/dir2/script
/root/dir2/script
(0) [root@node ~]# printf 'ALL ALL = (root)NOPASSWD:/root/dir1/script,/root/dir1/script1,/root/dir2/script,/root/dir2/script2' >> /etc/sudoers

(0) user@node ~: sudo -u root /root/dir1/script
/root/dir2/script

Actual results:

Running sudo -u root /root/dir1/script
executes /root/dir2/script

Expected results:

(0) user@node ~: sudo -u root /root/dir2/script
/root/dir2/script
(0) user@node ~: sudo -u root /root/dir1/script1
/root/dir1/script1
(0) user@node ~: sudo -u root /root/dir2/script2
/root/dir2/script2

Additional info:

I can reproduce the issue with latest RHEL 8
But its not clear why this happen.

As the customer has explained I did strace on the normal user's shell process and see that indeed the command being passed to the execve() system call are wrong.
So meaning the sudo is passing the wrong command arguments to execve() call.

~~~
# less testuser.strace | grep execve
204772 00:09:18.361206 execve("/usr/bin/sudo", ["sudo", "-u", "root", "/root/dir1/script"], ["LS_COLORS=rs=0:di [...output skipped...]
204777 00:09:18.601602 execve("/usr/sbin/unix_chkpwd", ["/usr/sbin/unix_chkpwd", "testuser", "chkexpiry"], []) = 0 <0.000307>
204778 00:09:18.617734 execve("/root/dir2/script", ["/root/dir1/script"], ["LS_COLORS=rs=0:di=38;5;33:ln=38; [...output skipped...]
~~~

Searching for man page of sudoers, I see some notes related to where travelling with symlink is allowed and not.
But here its like it executing a different file altogether so its not making sense to me.


I found that we can use debugging in sudo using the following configuration as explained in

  A.2. Troubleshooting sudo with SSSD and sudo Debugging Logs
  https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/troubleshooting-sudo


I see that there is a matching perform to check if the command entered is matching the defination given in the sudo file or not.
But here the comparison between files /root/dir1/script and /root/dir2/script matches for some reason.
It should match the command /root/dir1/script which is already written in the sudo file but its instead matching the /root/dir2/script and also succeeds with the match
~~~
# less /var/log/sudo_debug.log  | grep /root/dir
Dec 31 02:16:05 sudo[66267] user command "/root/dir1/script" matches sudoers command "/root/dir2/script2": false @ command_matches() ./match_command.c:540
Dec 31 02:16:05 sudo[66267] user command "/root/dir1/script" matches sudoers command "/root/dir2/script": true @ command_matches() ./match_command.c:540
Dec 31 02:16:05 sudo[66267] sudo_putenv: SUDO_COMMAND=/root/dir1/script
Dec 31 02:16:05 sudo[66267] <- new_logline @ ./logging.c:1097 := TTY=pts/0 ; PWD=/home/testuser ; USER=root ; COMMAND=/root/dir1/script
Dec 31 02:16:05 sudo[66267] <- sudo_new_key_val_v1 @ ./key_val.c:63 := command=/root/dir2/script
Dec 31 02:16:05 sudo[66267]     0: command=/root/dir2/script
Dec 31 02:16:05 sudo[66267] executed /root/dir2/script, pid 66270
Dec 31 02:16:05 sudo[66270] exec /root/dir2/script [/root/dir1/script] [LS_COLORS=rs=0:di=38;5;33:ln=38;5;51:mh=00:pi=40;38;5;11:so=38;5;13:do=38;5;5:bd=48;5;232;38;5;11:cd=48;5;232;38;5;3:or=48;5;232;38;5;9:mi=01;05;37;41:su=48;5;196;38;5;15:sg=48;5;11;38;5;16:ca=48;5;196;38;5;226:tw=48;5;10;38;5;16:ow=48;5;10;38;5;21:st=48;5;21;38;5;15:ex=38;5;40:*.tar=38;5;9:*.tgz=38;5;9:*.arc=38;5;9:*.arj=38;5;9:*.taz=38;5;9:*.lha=38;5;9:*.lz4=38;5;9:*.lzh=38;5;9:*.lzma=38;5;9:*.tlz=38;5;9:*.txz=38;5;9:*.tzo=38;5;9:*.t7z=38;5;9:*.zip=38;5;9:*.z=38;5;9:*.dz=38;5;9:*.gz=38;5;9:*.lrz=38;5;9:*.lz=38;5;9:*.lzo=38;5;9:*.xz=38;5;9:*.zst=38;5;9:*.tzst=38;5;9:*.bz2=38;5;9:*.bz=38;5;9:*.tbz=38;5;9:*.tbz2=38;5;9:*.tz=38;5;9:*.deb=38;5;9:*.rpm=38;5;9:*.jar=38;5;9:*.war=38;5;9:*.ear=38;5;9:*.sar=38;5;9:*.rar=38;5;9:*.alz=38;5;9:*.ace=38;5;9:*.zoo=38;5;9:*.cpio=38;5;9:*.7z=38;5;9:*.rz=38;5;9:*.cab=38;5;9:*.wim=38;5;9:*.swm=38;5;9:*.dwm=38;5;9:*.esd=38;5;9:*.jpg=38;5;13:*.jpeg=38;5;13:*.mjpg=38;5;13:*.mjpeg=38;5;13:*.gif=38;5;13:*.bmp=38;5;13:*.pbm=38;5;13:*.pgm=38;5;13:*.ppm=38;5;13:*.tga=38;5;13:*.xbm=38;5;13:*.xpm=38;5;13:*.tif=38;5;13:*.tiff=38;5;13:*.png=38;5;13:*.svg=38;5;13:*.svgz=38;5;13:*.mng=38;5;13:*.pcx=38;5;13:*.mov=38;5;13:*.mpg=38;5;13:*.mpeg=38;5;13:*.m2v=38;5;13:*.mkv=38;5;13:*.webm=38;5;13:*.ogm=38;5;13:*.mp4=38;5;13:*.m4v=38;5;13:*.mp4v=38;5;13:*.vob=38;5;13:*.qt=38;5;13:*.nuv=38;5;13:*.wmv=38;5;13:*.asf=38;5;13:*.rm=38;5;13:*.rmvb=38;5;13:*.flc=38;5;13:*.avi=38;5;13:*.fli=38;5;13:*.flv=38;5;13:*.gl=38;5;13:*.dl=38;5;13:*.xcf=38;5;13:*.xwd=38;5;13:*.yuv=38;5;13:*.cgm=38;5;13:*.emf=38;5;13:*.ogv=38;5;13:*.ogx=38;5;13:*.aac=38;5;45:*.au=38;5;45:*.flac=38;5;45:*.m4a=38;5;45:*.mid=38;5;45:*.midi=38;5;45:*.mka=38;5;45:*.mp3=38;5;45:*.mpc=38;5;45:*.ogg=38;5;45:*.ra=38;5;45:*.wav=38;5;45:*.oga=38;5;45:*.opus=38;5;45:*.spx=38;5;45:*.xspf=38;5;45: LANG=en_US.UTF-8 HOSTNAME=rhel8.test.example.local MAIL=/var/spool/mail/testuser TERM=xterm-256color HISTSIZE=10000 PATH=/sbin:/bin:/usr/sbin:/usr/bin LOGNAME=root USER=root HOME=/root SHELL=/bin/bash SUDO_COMMAND=/root/dir1/script SUDO_USER=testuser SUDO_UID=1011 SUDO_GID=1012]
~~~
Comment 1 Radovan Sroka 2023-01-03 10:39:11 UTC 
It seems that if there are multiple symlinks with the same target in sudoers, sudo will always chose the last one.
I don't consider this to be somehow critical. It is very likely present on all RHELs.

I've created an issue on upstream:

https://github.com/sudo-project/sudo/issues/228
Comment 3 Radovan Sroka 2023-01-11 09:41:08 UTC 
Apparently sudo's upstream is not willing to fix it. 
There is high risk that fix will introduce bugs.

It's not trivial.
Comment 6 Radovan Sroka 2023-08-16 14:35:24 UTC 
This bug is going to be migrated.

Contact point for migration questions or issues: rsroka
Guidance for Bugzilla users to test their Jira account or create one if needed:

https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016394
https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016694
https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016774