Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2157814

Summary: sudo not executing the calling path when using symlinks
Product: Red Hat Enterprise Linux 8 Reporter: Siddharth <sgandhi>
Component: sudoAssignee: Radovan Sroka <rsroka>
Status: CLOSED MIGRATED QA Contact: Dalibor Pospíšil <dapospis>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.7CC: dapospis
Target Milestone: rcKeywords: MigratedToJIRA, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-16 14:41:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Siddharth 2023-01-03 03:24:39 UTC 
Description of problem:
sudo not executing the calling path when using symlinks

Steps to Reproduce:
(0) [root@node ~]# mkdir dir1 dir2 common
(0) [root@node ~]# printf '#! /bin/bash\necho $0\n' > common/script
(0) [root@node ~]# chmod 700 common/script
(0) [root@node ~]# ln -s ../common/script dir1/script
(0) [root@node ~]# ln -s ../common/script dir1/script1
(0) [root@node ~]# ln -s ../common/script dir2/script
(0) [root@node ~]# ln -s ../common/script dir2/script2
(0) [root@node ~]# ls -l dir?
dir1:
total 0
lrwxrwxrwx 1 root root 16 Dec 21 09:29 script -> ../common/script
lrwxrwxrwx 1 root root 16 Dec 21 09:30 script1 -> ../common/script

dir2:
total 0
lrwxrwxrwx 1 root root 16 Dec 21 09:30 script -> ../common/script
lrwxrwxrwx 1 root root 16 Dec 21 09:30 script2 -> ../common/script
(0) [root@node ~]# /root/dir1/script
/root/dir1/script
(0) [root@node ~]# /root/dir2/script
/root/dir2/script
(0) [root@node ~]# printf 'ALL ALL = (root)NOPASSWD:/root/dir1/script,/root/dir1/script1,/root/dir2/script,/root/dir2/script2' >> /etc/sudoers

(0) user@node ~: sudo -u root /root/dir1/script
/root/dir2/script

Actual results:

Running sudo -u root /root/dir1/script
executes /root/dir2/script

Expected results:

(0) user@node ~: sudo -u root /root/dir2/script
/root/dir2/script
(0) user@node ~: sudo -u root /root/dir1/script1
/root/dir1/script1
(0) user@node ~: sudo -u root /root/dir2/script2
/root/dir2/script2

Additional info:

I can reproduce the issue with latest RHEL 8
But its not clear why this happen.

As the customer has explained I did strace on the normal user's shell process and see that indeed the command being passed to the execve() system call are wrong.
So meaning the sudo is passing the wrong command arguments to execve() call.

~~~
# less testuser.strace | grep execve
204772 00:09:18.361206 execve("/usr/bin/sudo", ["sudo", "-u", "root", "/root/dir1/script"], ["LS_COLORS=rs=0:di [...output skipped...]
204777 00:09:18.601602 execve("/usr/sbin/unix_chkpwd", ["/usr/sbin/unix_chkpwd", "testuser", "chkexpiry"], []) = 0 <0.000307>
204778 00:09:18.617734 execve("/root/dir2/script", ["/root/dir1/script"], ["LS_COLORS=rs=0:di=38;5;33:ln=38; [...output skipped...]
~~~

Searching for man page of sudoers, I see some notes related to where travelling with symlink is allowed and not.
But here its like it executing a different file altogether so its not making sense to me.


I found that we can use debugging in sudo using the following configuration as explained in

  A.2. Troubleshooting sudo with SSSD and sudo Debugging Logs
  https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/troubleshooting-sudo


I see that there is a matching perform to check if the command entered is matching the defination given in the sudo file or not.
But here the comparison between files /root/dir1/script and /root/dir2/script matches for some reason.
It should match the command /root/dir1/script which is already written in the sudo file but its instead matching the /root/dir2/script and also succeeds with the match
~~~
# less /var/log/sudo_debug.log  | grep /root/dir
Dec 31 02:16:05 sudo[66267] user command "/root/dir1/script" matches sudoers command "/root/dir2/script2": false @ command_matches() ./match_command.c:540
Dec 31 02:16:05 sudo[66267] user command "/root/dir1/script" matches sudoers command "/root/dir2/script": true @ command_matches() ./match_command.c:540
Dec 31 02:16:05 sudo[66267] sudo_putenv: SUDO_COMMAND=/root/dir1/script
Dec 31 02:16:05 sudo[66267] <- new_logline @ ./logging.c:1097 := TTY=pts/0 ; PWD=/home/testuser ; USER=root ; COMMAND=/root/dir1/script
Dec 31 02:16:05 sudo[66267] <- sudo_new_key_val_v1 @ ./key_val.c:63 := command=/root/dir2/script
Dec 31 02:16:05 sudo[66267]     0: command=/root/dir2/script
Dec 31 02:16:05 sudo[66267] executed /root/dir2/script, pid 66270
Dec 31 02:16:05 sudo[66270] exec /root/dir2/script [/root/dir1/script] [LS_COLORS=rs=0:di=38;5;33:ln=38;5;51:mh=00:pi=40;38;5;11:so=38;5;13:do=38;5;5:bd=48;5;232;38;5;11:cd=48;5;232;38;5;3:or=48;5;232;38;5;9:mi=01;05;37;41:su=48;5;196;38;5;15:sg=48;5;11;38;5;16:ca=48;5;196;38;5;226:tw=48;5;10;38;5;16:ow=48;5;10;38;5;21:st=48;5;21;38;5;15:ex=38;5;40:*.tar=38;5;9:*.tgz=38;5;9:*.arc=38;5;9:*.arj=38;5;9:*.taz=38;5;9:*.lha=38;5;9:*.lz4=38;5;9:*.lzh=38;5;9:*.lzma=38;5;9:*.tlz=38;5;9:*.txz=38;5;9:*.tzo=38;5;9:*.t7z=38;5;9:*.zip=38;5;9:*.z=38;5;9:*.dz=38;5;9:*.gz=38;5;9:*.lrz=38;5;9:*.lz=38;5;9:*.lzo=38;5;9:*.xz=38;5;9:*.zst=38;5;9:*.tzst=38;5;9:*.bz2=38;5;9:*.bz=38;5;9:*.tbz=38;5;9:*.tbz2=38;5;9:*.tz=38;5;9:*.deb=38;5;9:*.rpm=38;5;9:*.jar=38;5;9:*.war=38;5;9:*.ear=38;5;9:*.sar=38;5;9:*.rar=38;5;9:*.alz=38;5;9:*.ace=38;5;9:*.zoo=38;5;9:*.cpio=38;5;9:*.7z=38;5;9:*.rz=38;5;9:*.cab=38;5;9:*.wim=38;5;9:*.swm=38;5;9:*.dwm=38;5;9:*.esd=38;5;9:*.jpg=38;5;13:*.jpeg=38;5;13:*.mjpg=38;5;13:*.mjpeg=38;5;13:*.gif=38;5;13:*.bmp=38;5;13:*.pbm=38;5;13:*.pgm=38;5;13:*.ppm=38;5;13:*.tga=38;5;13:*.xbm=38;5;13:*.xpm=38;5;13:*.tif=38;5;13:*.tiff=38;5;13:*.png=38;5;13:*.svg=38;5;13:*.svgz=38;5;13:*.mng=38;5;13:*.pcx=38;5;13:*.mov=38;5;13:*.mpg=38;5;13:*.mpeg=38;5;13:*.m2v=38;5;13:*.mkv=38;5;13:*.webm=38;5;13:*.ogm=38;5;13:*.mp4=38;5;13:*.m4v=38;5;13:*.mp4v=38;5;13:*.vob=38;5;13:*.qt=38;5;13:*.nuv=38;5;13:*.wmv=38;5;13:*.asf=38;5;13:*.rm=38;5;13:*.rmvb=38;5;13:*.flc=38;5;13:*.avi=38;5;13:*.fli=38;5;13:*.flv=38;5;13:*.gl=38;5;13:*.dl=38;5;13:*.xcf=38;5;13:*.xwd=38;5;13:*.yuv=38;5;13:*.cgm=38;5;13:*.emf=38;5;13:*.ogv=38;5;13:*.ogx=38;5;13:*.aac=38;5;45:*.au=38;5;45:*.flac=38;5;45:*.m4a=38;5;45:*.mid=38;5;45:*.midi=38;5;45:*.mka=38;5;45:*.mp3=38;5;45:*.mpc=38;5;45:*.ogg=38;5;45:*.ra=38;5;45:*.wav=38;5;45:*.oga=38;5;45:*.opus=38;5;45:*.spx=38;5;45:*.xspf=38;5;45: LANG=en_US.UTF-8 HOSTNAME=rhel8.test.example.local MAIL=/var/spool/mail/testuser TERM=xterm-256color HISTSIZE=10000 PATH=/sbin:/bin:/usr/sbin:/usr/bin LOGNAME=root USER=root HOME=/root SHELL=/bin/bash SUDO_COMMAND=/root/dir1/script SUDO_USER=testuser SUDO_UID=1011 SUDO_GID=1012]
~~~
Comment 1 Radovan Sroka 2023-01-03 10:39:11 UTC 
It seems that if there are multiple symlinks with the same target in sudoers, sudo will always chose the last one.
I don't consider this to be somehow critical. It is very likely present on all RHELs.

I've created an issue on upstream:

https://github.com/sudo-project/sudo/issues/228
Comment 3 Radovan Sroka 2023-01-11 09:41:08 UTC 
Apparently sudo's upstream is not willing to fix it. 
There is high risk that fix will introduce bugs.

It's not trivial.
Comment 6 Radovan Sroka 2023-08-16 14:35:24 UTC 
This bug is going to be migrated.

Contact point for migration questions or issues: rsroka
Guidance for Bugzilla users to test their Jira account or create one if needed:

https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016394
https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016694
https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016774