Bug 531369
Summary: | unable to consistently exec lengthy commands which should be permitted with wildcard + NOPASSWD in sudoers | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Nick Silkey <randall.silkey> |
Component: | sudo | Assignee: | Daniel Kopeček <dkopecek> |
Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | high | Docs Contact: | |
Priority: | low | ||
Version: | 5.3 | CC: | dkopecek, randall.silkey |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-10-30 13:10:10 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Nick Silkey
2009-10-27 21:49:46 UTC
These are the offending sudoers bits: [root@vm-dpltstapp-01 init.d]# grep ANTUSERS /etc/sudoers User_Alias ANTUSERS=anta ANTUSERS DPLWEBSYS = NOPASSWD: /etc/init.d/httpd graceful, /etc/init.d/memcached* Which yields the following reproducible behavior: [root@vm-dpltstapp-01 init.d]# su - anta [anta@vm-dpltstapp-01 ~]$ sudo -l User anta may run the following commands on this host: (root) NOPASSWD: /etc/init.d/httpd graceful (root) NOPASSWD: /etc/init.d/memcached* [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached1 Usage: /etc/init.d/memcached1 {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached2 Usage: /etc/init.d/memcached2 {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-01.yale.edu Usage: /etc/init.d/memcached-dpltst-01.yale.edu {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-02.yale.edu Password: Password: [anta@vm-dpltstapp-01 ~]$ Which yields the following in secure: Oct 27 17:58:46 vm-dpltstapp-01 su: pam_unix(su-l:session): session opened for user anta by rs253(uid=0) Oct 27 17:59:01 vm-dpltstapp-01 sudo: anta : TTY=pts/0 ; PWD=/home/anta ; USER=root ; COMMAND=list Oct 27 17:59:07 vm-dpltstapp-01 sudo: anta : TTY=pts/0 ; PWD=/home/anta ; USER=root ; COMMAND=/etc/init.d/memcached1 Oct 27 17:59:09 vm-dpltstapp-01 sudo: anta : TTY=pts/0 ; PWD=/home/anta ; USER=root ; COMMAND=/etc/init.d/memcached2 Oct 27 17:59:14 vm-dpltstapp-01 sudo: anta : TTY=pts/0 ; PWD=/home/anta ; USER=root ; COMMAND=/etc/init.d/memcached-dpltst-01.yale.edu Oct 27 17:59:25 vm-dpltstapp-01 sudo: pam_krb5[24183]: authentication fails for 'anta' (anta.EDU): User not known to the underlying authentication module (Client not found in Kerberos database) Oct 27 17:59:25 vm-dpltstapp-01 sudo: pam_unix(sudo:auth): authentication failure; logname=rs253 uid=0 euid=0 tty=/dev/pts/0 ruser= rhost= user=anta Oct 27 17:59:30 vm-dpltstapp-01 su: pam_unix(su-l:session): session closed for user anta NB: We kerberize sudo, but anta is a local account which doesnt exist in the KDCs. I assume the net.yale.edu line is due to the carriage returns I sent when greeted with the unexpected 'Password:' prompt. Additional hacking on the permitin sudoers: /etc/init.d/* === [anta@vm-dpltstapp-01 ~]$ sudo -l User anta may run the following commands on this host: (root) NOPASSWD: /etc/init.d/httpd graceful (root) NOPASSWD: /etc/init.d/* [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached1 Usage: /etc/init.d/memcached1 {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached2 Usage: /etc/init.d/memcached2 {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached3 Usage: /etc/init.d/memcached3 {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-01.yale.edu Usage: /etc/init.d/memcached-dpltst-01.yale.edu {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-02.yale.edu Usage: /etc/init.d/memcached-dpltst-02.yale.edu {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-03.yale.edu Usage: /etc/init.d/memcached-dpltst-03.yale.edu {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ md5sum /etc/init.d/memcached1 /etc/init.d/memcached-dpltst-01.yale.edu 7261557266ed1a201908e8c91dc55a8f /etc/init.d/memcached1 7261557266ed1a201908e8c91dc55a8f /etc/init.d/memcached-dpltst-01.yale.edu [anta@vm-dpltstapp-01 ~]$ md5sum /etc/init.d/memcached2 /etc/init.d/memcached-dpltst-02.yale.edu 6887b35587593b487cb32c12639448b8 /etc/init.d/memcached2 6887b35587593b487cb32c12639448b8 /etc/init.d/memcached-dpltst-02.yale.edu [anta@vm-dpltstapp-01 ~]$ md5sum /etc/init.d/memcached3 /etc/init.d/memcached-dpltst-03.yale.edu 8e3b1d61552c7055f6d3f9ddaf83d025 /etc/init.d/memcached3 8e3b1d61552c7055f6d3f9ddaf83d025 /etc/init.d/memcached-dpltst-03.yale.edu /etc/init.d/m* === [anta@vm-dpltstapp-01 ~]$ sudo -l User anta may run the following commands on this host: (root) NOPASSWD: /etc/init.d/httpd graceful (root) NOPASSWD: /etc/init.d/m* [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached1 Usage: /etc/init.d/memcached1 {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached2 Usage: /etc/init.d/memcached2 {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached3 Usage: /etc/init.d/memcached3 {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-01.yale.edu Usage: /etc/init.d/memcached-dpltst-01.yale.edu {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-02.yale.edu Password: Password: [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-03.yale.edu Usage: /etc/init.d/memcached-dpltst-03.yale.edu {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ md5sum /etc/init.d/memcached1 /etc/init.d/memcached-dpltst-01.yale.edu 7261557266ed1a201908e8c91dc55a8f /etc/init.d/memcached1 7261557266ed1a201908e8c91dc55a8f /etc/init.d/memcached-dpltst-01.yale.edu [anta@vm-dpltstapp-01 ~]$ md5sum /etc/init.d/memcached2 /etc/init.d/memcached-dpltst-02.yale.edu 6887b35587593b487cb32c12639448b8 /etc/init.d/memcached2 6887b35587593b487cb32c12639448b8 /etc/init.d/memcached-dpltst-02.yale.edu [anta@vm-dpltstapp-01 ~]$ md5sum /etc/init.d/memcached3 /etc/init.d/memcached-dpltst-03.yale.edu 8e3b1d61552c7055f6d3f9ddaf83d025 /etc/init.d/memcached3 8e3b1d61552c7055f6d3f9ddaf83d025 /etc/init.d/memcached-dpltst-03.yale.edu Setting init scripts to the same: [anta@vm-dpltstapp-01 init.d]$ sudo -l User anta may run the following commands on this host: (root) NOPASSWD: /etc/init.d/httpd graceful (root) NOPASSWD: /etc/init.d/memcached* [anta@vm-dpltstapp-01 init.d]$ sudo ./memcached1 Usage: ./memcached1 {start|stop|restart} [anta@vm-dpltstapp-01 init.d]$ sudo ./memcached2 Usage: ./memcached2 {start|stop|restart} [anta@vm-dpltstapp-01 init.d]$ sudo ./memcached3 Usage: ./memcached3 {start|stop|restart} [anta@vm-dpltstapp-01 init.d]$ sudo ./memcached-dpltst-01.yale.edu Usage: ./memcached-dpltst-01.yale.edu {start|stop|restart} [anta@vm-dpltstapp-01 init.d]$ sudo ./memcached-dpltst-02.yale.edu Usage: ./memcached-dpltst-02.yale.edu {start|stop|restart} [anta@vm-dpltstapp-01 init.d]$ sudo ./memcached-dpltst-03.yale.edu Usage: ./memcached-dpltst-03.yale.edu {start|stop|restart} [anta@vm-dpltstapp-01 init.d]$ md5sum memcached* 7261557266ed1a201908e8c91dc55a8f memcached1 7261557266ed1a201908e8c91dc55a8f memcached2 7261557266ed1a201908e8c91dc55a8f memcached3 7261557266ed1a201908e8c91dc55a8f memcached-dpltst-01.yale.edu 7261557266ed1a201908e8c91dc55a8f memcached-dpltst-02.yale.edu 7261557266ed1a201908e8c91dc55a8f memcached-dpltst-03.yale.edu Setting host to ALL with varying init scripts: [anta@vm-dpltstapp-01 init.d]$ sudo -l User anta may run the following commands on this host: (root) NOPASSWD: /etc/init.d/httpd graceful (root) NOPASSWD: /etc/init.d/memcached* [anta@vm-dpltstapp-01 init.d]$ sudo ./memcached1 Usage: ./memcached1 {start|stop|restart} [anta@vm-dpltstapp-01 init.d]$ sudo ./memcached2 Usage: ./memcached2 {start|stop|restart} [anta@vm-dpltstapp-01 init.d]$ sudo ./memcached3 Usage: ./memcached3 {start|stop|restart} [anta@vm-dpltstapp-01 init.d]$ sudo ./memcached-dpltst-01.yale.edu Usage: ./memcached-dpltst-01.yale.edu {start|stop|restart} [anta@vm-dpltstapp-01 init.d]$ sudo ./memcached-dpltst-02.yale.edu Usage: ./memcached-dpltst-02.yale.edu {start|stop|restart} [anta@vm-dpltstapp-01 init.d]$ sudo ./memcached-dpltst-03.yale.edu Usage: ./memcached-dpltst-03.yale.edu {start|stop|restart} [anta@vm-dpltstapp-01 init.d]$ md5sum memcached* 7261557266ed1a201908e8c91dc55a8f memcached1 6887b35587593b487cb32c12639448b8 memcached2 8e3b1d61552c7055f6d3f9ddaf83d025 memcached3 7261557266ed1a201908e8c91dc55a8f memcached-dpltst-01.yale.edu 6887b35587593b487cb32c12639448b8 memcached-dpltst-02.yale.edu 8e3b1d61552c7055f6d3f9ddaf83d025 memcached-dpltst-03.yale.edu The touch function doesnt appear to work as described by RH support: [root@vm-dpltstapp-01 ~]# \mv /etc/init.d/memcached{1,2,3} ~rs253/ [root@vm-dpltstapp-01 ~]# touch /etc/init.d/memcached [root@vm-dpltstapp-01 ~]# su - anta [anta@vm-dpltstapp-01 ~]$ sudo -l User anta may run the following commands on this host: (root) NOPASSWD: /etc/init.d/httpd graceful (root) NOPASSWD: /etc/init.d/memcached* [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-01.yale.edu Usage: /etc/init.d/memcached-dpltst-01.yale.edu {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-02.yale.edu Password: Password: [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-03.yale.edu Usage: /etc/init.d/memcached-dpltst-03.yale.edu {start|stop|restart} Moreover with the short names gone, the bug persists: [root@vm-dpltstapp-01 ~]# su - anta [anta@vm-dpltstapp-01 ~]$ sudo -l User anta may run the following commands on this host: (root) NOPASSWD: /etc/init.d/httpd graceful (root) NOPASSWD: /etc/init.d/memcached* [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-01.yale.edu Usage: /etc/init.d/memcached-dpltst-01.yale.edu {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-02.yale.edu Password: Password: [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-03.yale.edu Usage: /etc/init.d/memcached-dpltst-03.yale.edu {start|stop|restart} Oddly enough, this appears functional (without stripping the HOST field from the permit): [root@vm-dpltstapp-01 ~]# cp ~rs253/memcached{1,2,3} /etc/init.d/ [root@vm-dpltstapp-01 ~]# su - anta [anta@vm-dpltstapp-01 ~]$ sudo -l User anta may run the following commands on this host: (root) NOPASSWD: /etc/init.d/httpd graceful (root) NOPASSWD: /etc/init.d/memcached* [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached1 Usage: /etc/init.d/memcached1 {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached2 Usage: /etc/init.d/memcached2 {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached3 Usage: /etc/init.d/memcached3 {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-01.yale.edu Usage: /etc/init.d/memcached-dpltst-01.yale.edu {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-02.yale.edu Usage: /etc/init.d/memcached-dpltst-02.yale.edu {start|stop|restart} [anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-03.yale.edu Usage: /etc/init.d/memcached-dpltst-03.yale.edu {start|stop|restart} *** This bug has been marked as a duplicate of bug 521778 *** |