Bug 531369
| Summary: | unable to consistently exec lengthy commands which should be permitted with wildcard + NOPASSWD in sudoers | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Nick Silkey <randall.silkey> |
| Component: | sudo | Assignee: | Daniel Kopeček <dkopecek> |
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | high | Docs Contact: | |
| Priority: | low | ||
| Version: | 5.3 | CC: | dkopecek, randall.silkey |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-10-30 13:10:10 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
These are the offending sudoers bits:
[root@vm-dpltstapp-01 init.d]# grep ANTUSERS /etc/sudoers
User_Alias ANTUSERS=anta
ANTUSERS DPLWEBSYS = NOPASSWD: /etc/init.d/httpd graceful, /etc/init.d/memcached*
Which yields the following reproducible behavior:
[root@vm-dpltstapp-01 init.d]# su - anta
[anta@vm-dpltstapp-01 ~]$ sudo -l
User anta may run the following commands on this host:
(root) NOPASSWD: /etc/init.d/httpd graceful
(root) NOPASSWD: /etc/init.d/memcached*
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached1
Usage: /etc/init.d/memcached1 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached2
Usage: /etc/init.d/memcached2 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-01.yale.edu
Usage: /etc/init.d/memcached-dpltst-01.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-02.yale.edu
Password:
Password:
[anta@vm-dpltstapp-01 ~]$
Which yields the following in secure:
Oct 27 17:58:46 vm-dpltstapp-01 su: pam_unix(su-l:session): session opened for user anta by rs253(uid=0)
Oct 27 17:59:01 vm-dpltstapp-01 sudo: anta : TTY=pts/0 ; PWD=/home/anta ; USER=root ; COMMAND=list
Oct 27 17:59:07 vm-dpltstapp-01 sudo: anta : TTY=pts/0 ; PWD=/home/anta ; USER=root ; COMMAND=/etc/init.d/memcached1
Oct 27 17:59:09 vm-dpltstapp-01 sudo: anta : TTY=pts/0 ; PWD=/home/anta ; USER=root ; COMMAND=/etc/init.d/memcached2
Oct 27 17:59:14 vm-dpltstapp-01 sudo: anta : TTY=pts/0 ; PWD=/home/anta ; USER=root ; COMMAND=/etc/init.d/memcached-dpltst-01.yale.edu
Oct 27 17:59:25 vm-dpltstapp-01 sudo: pam_krb5[24183]: authentication fails for 'anta' (anta.EDU): User not known to the underlying authentication module (Client not found in Kerberos database)
Oct 27 17:59:25 vm-dpltstapp-01 sudo: pam_unix(sudo:auth): authentication failure; logname=rs253 uid=0 euid=0 tty=/dev/pts/0 ruser= rhost= user=anta
Oct 27 17:59:30 vm-dpltstapp-01 su: pam_unix(su-l:session): session closed for user anta
NB: We kerberize sudo, but anta is a local account which doesnt exist in the KDCs. I assume the net.yale.edu line is due to the carriage returns I sent when greeted with the unexpected 'Password:' prompt.
Additional hacking on the permitin sudoers:
/etc/init.d/*
===
[anta@vm-dpltstapp-01 ~]$ sudo -l
User anta may run the following commands on this host:
(root) NOPASSWD: /etc/init.d/httpd graceful
(root) NOPASSWD: /etc/init.d/*
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached1
Usage: /etc/init.d/memcached1 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached2
Usage: /etc/init.d/memcached2 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached3
Usage: /etc/init.d/memcached3 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-01.yale.edu
Usage: /etc/init.d/memcached-dpltst-01.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-02.yale.edu
Usage: /etc/init.d/memcached-dpltst-02.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-03.yale.edu
Usage: /etc/init.d/memcached-dpltst-03.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ md5sum /etc/init.d/memcached1 /etc/init.d/memcached-dpltst-01.yale.edu
7261557266ed1a201908e8c91dc55a8f /etc/init.d/memcached1
7261557266ed1a201908e8c91dc55a8f /etc/init.d/memcached-dpltst-01.yale.edu
[anta@vm-dpltstapp-01 ~]$ md5sum /etc/init.d/memcached2 /etc/init.d/memcached-dpltst-02.yale.edu
6887b35587593b487cb32c12639448b8 /etc/init.d/memcached2
6887b35587593b487cb32c12639448b8 /etc/init.d/memcached-dpltst-02.yale.edu
[anta@vm-dpltstapp-01 ~]$ md5sum /etc/init.d/memcached3 /etc/init.d/memcached-dpltst-03.yale.edu
8e3b1d61552c7055f6d3f9ddaf83d025 /etc/init.d/memcached3
8e3b1d61552c7055f6d3f9ddaf83d025 /etc/init.d/memcached-dpltst-03.yale.edu
/etc/init.d/m*
===
[anta@vm-dpltstapp-01 ~]$ sudo -l
User anta may run the following commands on this host:
(root) NOPASSWD: /etc/init.d/httpd graceful
(root) NOPASSWD: /etc/init.d/m*
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached1
Usage: /etc/init.d/memcached1 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached2
Usage: /etc/init.d/memcached2 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached3
Usage: /etc/init.d/memcached3 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-01.yale.edu
Usage: /etc/init.d/memcached-dpltst-01.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-02.yale.edu
Password:
Password:
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-03.yale.edu
Usage: /etc/init.d/memcached-dpltst-03.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ md5sum /etc/init.d/memcached1 /etc/init.d/memcached-dpltst-01.yale.edu
7261557266ed1a201908e8c91dc55a8f /etc/init.d/memcached1
7261557266ed1a201908e8c91dc55a8f /etc/init.d/memcached-dpltst-01.yale.edu
[anta@vm-dpltstapp-01 ~]$ md5sum /etc/init.d/memcached2 /etc/init.d/memcached-dpltst-02.yale.edu
6887b35587593b487cb32c12639448b8 /etc/init.d/memcached2
6887b35587593b487cb32c12639448b8 /etc/init.d/memcached-dpltst-02.yale.edu
[anta@vm-dpltstapp-01 ~]$ md5sum /etc/init.d/memcached3 /etc/init.d/memcached-dpltst-03.yale.edu
8e3b1d61552c7055f6d3f9ddaf83d025 /etc/init.d/memcached3
8e3b1d61552c7055f6d3f9ddaf83d025 /etc/init.d/memcached-dpltst-03.yale.edu
Setting init scripts to the same:
[anta@vm-dpltstapp-01 init.d]$ sudo -l
User anta may run the following commands on this host:
(root) NOPASSWD: /etc/init.d/httpd graceful
(root) NOPASSWD: /etc/init.d/memcached*
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached1
Usage: ./memcached1 {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached2
Usage: ./memcached2 {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached3
Usage: ./memcached3 {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached-dpltst-01.yale.edu
Usage: ./memcached-dpltst-01.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached-dpltst-02.yale.edu
Usage: ./memcached-dpltst-02.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached-dpltst-03.yale.edu
Usage: ./memcached-dpltst-03.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ md5sum memcached*
7261557266ed1a201908e8c91dc55a8f memcached1
7261557266ed1a201908e8c91dc55a8f memcached2
7261557266ed1a201908e8c91dc55a8f memcached3
7261557266ed1a201908e8c91dc55a8f memcached-dpltst-01.yale.edu
7261557266ed1a201908e8c91dc55a8f memcached-dpltst-02.yale.edu
7261557266ed1a201908e8c91dc55a8f memcached-dpltst-03.yale.edu
Setting host to ALL with varying init scripts:
[anta@vm-dpltstapp-01 init.d]$ sudo -l
User anta may run the following commands on this host:
(root) NOPASSWD: /etc/init.d/httpd graceful
(root) NOPASSWD: /etc/init.d/memcached*
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached1
Usage: ./memcached1 {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached2
Usage: ./memcached2 {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached3
Usage: ./memcached3 {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached-dpltst-01.yale.edu
Usage: ./memcached-dpltst-01.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached-dpltst-02.yale.edu
Usage: ./memcached-dpltst-02.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached-dpltst-03.yale.edu
Usage: ./memcached-dpltst-03.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ md5sum memcached*
7261557266ed1a201908e8c91dc55a8f memcached1
6887b35587593b487cb32c12639448b8 memcached2
8e3b1d61552c7055f6d3f9ddaf83d025 memcached3
7261557266ed1a201908e8c91dc55a8f memcached-dpltst-01.yale.edu
6887b35587593b487cb32c12639448b8 memcached-dpltst-02.yale.edu
8e3b1d61552c7055f6d3f9ddaf83d025 memcached-dpltst-03.yale.edu
The touch function doesnt appear to work as described by RH support:
[root@vm-dpltstapp-01 ~]# \mv /etc/init.d/memcached{1,2,3} ~rs253/
[root@vm-dpltstapp-01 ~]# touch /etc/init.d/memcached
[root@vm-dpltstapp-01 ~]# su - anta
[anta@vm-dpltstapp-01 ~]$ sudo -l
User anta may run the following commands on this host:
(root) NOPASSWD: /etc/init.d/httpd graceful
(root) NOPASSWD: /etc/init.d/memcached*
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-01.yale.edu
Usage: /etc/init.d/memcached-dpltst-01.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-02.yale.edu
Password:
Password:
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-03.yale.edu
Usage: /etc/init.d/memcached-dpltst-03.yale.edu {start|stop|restart}
Moreover with the short names gone, the bug persists:
[root@vm-dpltstapp-01 ~]# su - anta
[anta@vm-dpltstapp-01 ~]$ sudo -l
User anta may run the following commands on this host:
(root) NOPASSWD: /etc/init.d/httpd graceful
(root) NOPASSWD: /etc/init.d/memcached*
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-01.yale.edu
Usage: /etc/init.d/memcached-dpltst-01.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-02.yale.edu
Password:
Password:
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-03.yale.edu
Usage: /etc/init.d/memcached-dpltst-03.yale.edu {start|stop|restart}
Oddly enough, this appears functional (without stripping the HOST field from the permit):
[root@vm-dpltstapp-01 ~]# cp ~rs253/memcached{1,2,3} /etc/init.d/
[root@vm-dpltstapp-01 ~]# su - anta
[anta@vm-dpltstapp-01 ~]$ sudo -l
User anta may run the following commands on this host:
(root) NOPASSWD: /etc/init.d/httpd graceful
(root) NOPASSWD: /etc/init.d/memcached*
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached1
Usage: /etc/init.d/memcached1 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached2
Usage: /etc/init.d/memcached2 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached3
Usage: /etc/init.d/memcached3 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-01.yale.edu
Usage: /etc/init.d/memcached-dpltst-01.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-02.yale.edu
Usage: /etc/init.d/memcached-dpltst-02.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-03.yale.edu
Usage: /etc/init.d/memcached-dpltst-03.yale.edu {start|stop|restart}
*** This bug has been marked as a duplicate of bug 521778 *** |
Description of problem: When using a wildcard in a NOPASSWD sudoers statement, lengthy command paths which fall under the wildcard pattern sometimes fail to permit access. Version-Release number of selected component (if applicable): sudo-1.6.9p17-3.el5 Red Hat Enterprise Linux Server release 5.3 (Tikanga) How reproducible: Everytime Steps to Reproduce: 1. Stand up a wildcard permit in sudoers with NOPASSWD. 2. Matching the wildcard pattern, try to execute a lengthy command. (See example below) Actual results: User is prompted for a password even though NOPASSWD is specified (and returned with a sudo -l as the user). Expected results: User should be permitted to exec with NOPASSWD. Additional info: [root@vm-dpltstapp-01 ~]# cd /etc/init.d/ [root@vm-dpltstapp-01 init.d]# md5sum memcached-dpltst-01.yale.edu memcached1 7261557266ed1a201908e8c91dc55a8f memcached-dpltst-01.yale.edu 7261557266ed1a201908e8c91dc55a8f memcached1 [root@vm-dpltstapp-01 init.d]# md5sum memcached-dpltst-02.yale.edu memcached2 6887b35587593b487cb32c12639448b8 memcached-dpltst-02.yale.edu 6887b35587593b487cb32c12639448b8 memcached2 [root@vm-dpltstapp-01 init.d]# su - anta [anta@vm-dpltstapp-01 ~]$ sudo -l User anta may run the following commands on this host: (root) NOPASSWD: /etc/init.d/httpd graceful (root) NOPASSWD: /etc/init.d/memcached* [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached1 Usage: /etc/init.d/memcached1 {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached2 Usage: /etc/init.d/memcached2 {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-01.yale.edu Usage: /etc/init.d/memcached-dpltst-01.yale.edu {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-02.yale.edu Password: Password: [anta@vm-dpltstapp-01 ~]$ echo "/etc/init.d/memcached1" | wc 1 1 23 [anta@vm-dpltstapp-01 ~]$ echo "/etc/init.d/memcached-dpltst-01.yale.edu" | wc 1 1 41 [anta@vm-dpltstapp-01 ~]$ cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.3 (Tikanga) [anta@vm-dpltstapp-01 ~]$ rpm -qa | grep ^sudo sudo-1.6.9p17-3.el5