Bug 886648

Summary: Access granted with invalid sudoRunAsUser/sudoRunAsGroup
Product: Red Hat Enterprise Linux 6 Reporter: Nikolai Kondrashov <nikolai.kondrashov>
Component: sudoAssignee: Daniel Kopeček <dkopecek>
Status: CLOSED ERRATA QA Contact: David Spurek <dspurek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: dapospis, dspurek, ebenes, ksrot, mvadkert, pvrabec
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sudo-1.8.6p3-8.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of:
: 1006991 1026904 (view as bug list) Environment:
Last Closed: 2013-11-21 23:12:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 947775, 1006991, 1026904    
Attachments:
Description Flags
proposed patch none

Description Nikolai Kondrashov 2012-12-12 18:46:07 UTC 
Description of problem:
Sudo still grants access when the matching sudo rule, accessed either with ldap or sssd sudoers plugin, has sudoRunAsUser or sudoRunAsGroup set to an invalid user or group ID in the form of #id#, e.g. #10002#.

Version-Release number of selected component (if applicable):
sssd-client-1.9.2-37.el6.x86_64
sssd-1.9.2-37.el6.x86_64
sudo-1.8.6p3-6.el6.x86_64
libsss_idmap-1.9.2-37.el6.x86_64
libsss_sudo-1.9.2-37.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Create a sudo rule employing #id-format value in sudoRunAsUser or sudoRunAsGroup.
2. Verify that access is granted.
3. Append '#' character to the value.
4. Try getting access again.

Actual results:
access is granted

Expected results:
access is denied
Comment 2 RHEL Program Management 2012-12-16 06:51:13 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 3 Daniel Kopeček 2013-08-08 14:32:58 UTC 
Sudo accepts the invalid strings because it uses atoi() to convert the string to an uid/gid. I've changed the code to use strtol and added checks that the whole string was accepted by it.
Comment 4 Daniel Kopeček 2013-08-08 14:33:56 UTC 
Created attachment 784416 [details]
proposed patch
Comment 9 Nikolai Kondrashov 2013-09-11 17:26:56 UTC 
Verified fixed with sudo-1.8.6p3-11.el6.x86_64.

Relevant sudo suite output:

:: [   PASS   ] :: attrs_runasuser_user_id_invalid (Expected 0, got 0)
:: [   PASS   ] :: attrs_runasgroup_id_invalid (Expected 0, got 0)
Comment 10 errata-xmlrpc 2013-11-21 23:12:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-1701.html