This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .
Bug 2157814 - sudo not executing the calling path when using symlinks
Summary: sudo not executing the calling path when using symlinks
Keywords:
Status: CLOSED MIGRATED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sudo
Version: 8.7
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Radovan Sroka
QA Contact: Dalibor Pospíšil
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-01-03 03:24 UTC by Siddharth
Modified: 2023-08-16 14:41 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-16 14:41:01 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker   RHEL-1363 0 None None None 2023-08-16 14:41:00 UTC
Red Hat Issue Tracker RHELPLAN-143516 0 None None None 2023-01-03 03:32:46 UTC
Red Hat Issue Tracker SECENGSP-4942 0 None None None 2023-01-03 03:32:50 UTC

Description Siddharth 2023-01-03 03:24:39 UTC 
Description of problem:
sudo not executing the calling path when using symlinks

Steps to Reproduce:
(0) [root@node ~]# mkdir dir1 dir2 common
(0) [root@node ~]# printf '#! /bin/bash\necho $0\n' > common/script
(0) [root@node ~]# chmod 700 common/script
(0) [root@node ~]# ln -s ../common/script dir1/script
(0) [root@node ~]# ln -s ../common/script dir1/script1
(0) [root@node ~]# ln -s ../common/script dir2/script
(0) [root@node ~]# ln -s ../common/script dir2/script2
(0) [root@node ~]# ls -l dir?
dir1:
total 0
lrwxrwxrwx 1 root root 16 Dec 21 09:29 script -> ../common/script
lrwxrwxrwx 1 root root 16 Dec 21 09:30 script1 -> ../common/script

dir2:
total 0
lrwxrwxrwx 1 root root 16 Dec 21 09:30 script -> ../common/script
lrwxrwxrwx 1 root root 16 Dec 21 09:30 script2 -> ../common/script
(0) [root@node ~]# /root/dir1/script
/root/dir1/script
(0) [root@node ~]# /root/dir2/script
/root/dir2/script
(0) [root@node ~]# printf 'ALL ALL = (root)NOPASSWD:/root/dir1/script,/root/dir1/script1,/root/dir2/script,/root/dir2/script2' >> /etc/sudoers

(0) user@node ~: sudo -u root /root/dir1/script
/root/dir2/script

Actual results:

Running sudo -u root /root/dir1/script
executes /root/dir2/script

Expected results:

(0) user@node ~: sudo -u root /root/dir2/script
/root/dir2/script
(0) user@node ~: sudo -u root /root/dir1/script1
/root/dir1/script1
(0) user@node ~: sudo -u root /root/dir2/script2
/root/dir2/script2

Additional info:

I can reproduce the issue with latest RHEL 8
But its not clear why this happen.

As the customer has explained I did strace on the normal user's shell process and see that indeed the command being passed to the execve() system call are wrong.
So meaning the sudo is passing the wrong command arguments to execve() call.

~~~
# less testuser.strace | grep execve
204772 00:09:18.361206 execve("/usr/bin/sudo", ["sudo", "-u", "root", "/root/dir1/script"], ["LS_COLORS=rs=0:di [...output skipped...]
204777 00:09:18.601602 execve("/usr/sbin/unix_chkpwd", ["/usr/sbin/unix_chkpwd", "testuser", "chkexpiry"], []) = 0 <0.000307>
204778 00:09:18.617734 execve("/root/dir2/script", ["/root/dir1/script"], ["LS_COLORS=rs=0:di=38;5;33:ln=38; [...output skipped...]
~~~

Searching for man page of sudoers, I see some notes related to where travelling with symlink is allowed and not.
But here its like it executing a different file altogether so its not making sense to me.


I found that we can use debugging in sudo using the following configuration as explained in

  A.2. Troubleshooting sudo with SSSD and sudo Debugging Logs
  https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/troubleshooting-sudo


I see that there is a matching perform to check if the command entered is matching the defination given in the sudo file or not.
But here the comparison between files /root/dir1/script and /root/dir2/script matches for some reason.
It should match the command /root/dir1/script which is already written in the sudo file but its instead matching the /root/dir2/script and also succeeds with the match
~~~
# less /var/log/sudo_debug.log  | grep /root/dir
Dec 31 02:16:05 sudo[66267] user command "/root/dir1/script" matches sudoers command "/root/dir2/script2": false @ command_matches() ./match_command.c:540
Dec 31 02:16:05 sudo[66267] user command "/root/dir1/script" matches sudoers command "/root/dir2/script": true @ command_matches() ./match_command.c:540
Dec 31 02:16:05 sudo[66267] sudo_putenv: SUDO_COMMAND=/root/dir1/script
Dec 31 02:16:05 sudo[66267] <- new_logline @ ./logging.c:1097 := TTY=pts/0 ; PWD=/home/testuser ; USER=root ; COMMAND=/root/dir1/script
Dec 31 02:16:05 sudo[66267] <- sudo_new_key_val_v1 @ ./key_val.c:63 := command=/root/dir2/script
Dec 31 02:16:05 sudo[66267]     0: command=/root/dir2/script
Dec 31 02:16:05 sudo[66267] executed /root/dir2/script, pid 66270
Dec 31 02:16:05 sudo[66270] exec /root/dir2/script [/root/dir1/script] [LS_COLORS=rs=0:di=38;5;33:ln=38;5;51:mh=00:pi=40;38;5;11:so=38;5;13:do=38;5;5:bd=48;5;232;38;5;11:cd=48;5;232;38;5;3:or=48;5;232;38;5;9:mi=01;05;37;41:su=48;5;196;38;5;15:sg=48;5;11;38;5;16:ca=48;5;196;38;5;226:tw=48;5;10;38;5;16:ow=48;5;10;38;5;21:st=48;5;21;38;5;15:ex=38;5;40:*.tar=38;5;9:*.tgz=38;5;9:*.arc=38;5;9:*.arj=38;5;9:*.taz=38;5;9:*.lha=38;5;9:*.lz4=38;5;9:*.lzh=38;5;9:*.lzma=38;5;9:*.tlz=38;5;9:*.txz=38;5;9:*.tzo=38;5;9:*.t7z=38;5;9:*.zip=38;5;9:*.z=38;5;9:*.dz=38;5;9:*.gz=38;5;9:*.lrz=38;5;9:*.lz=38;5;9:*.lzo=38;5;9:*.xz=38;5;9:*.zst=38;5;9:*.tzst=38;5;9:*.bz2=38;5;9:*.bz=38;5;9:*.tbz=38;5;9:*.tbz2=38;5;9:*.tz=38;5;9:*.deb=38;5;9:*.rpm=38;5;9:*.jar=38;5;9:*.war=38;5;9:*.ear=38;5;9:*.sar=38;5;9:*.rar=38;5;9:*.alz=38;5;9:*.ace=38;5;9:*.zoo=38;5;9:*.cpio=38;5;9:*.7z=38;5;9:*.rz=38;5;9:*.cab=38;5;9:*.wim=38;5;9:*.swm=38;5;9:*.dwm=38;5;9:*.esd=38;5;9:*.jpg=38;5;13:*.jpeg=38;5;13:*.mjpg=38;5;13:*.mjpeg=38;5;13:*.gif=38;5;13:*.bmp=38;5;13:*.pbm=38;5;13:*.pgm=38;5;13:*.ppm=38;5;13:*.tga=38;5;13:*.xbm=38;5;13:*.xpm=38;5;13:*.tif=38;5;13:*.tiff=38;5;13:*.png=38;5;13:*.svg=38;5;13:*.svgz=38;5;13:*.mng=38;5;13:*.pcx=38;5;13:*.mov=38;5;13:*.mpg=38;5;13:*.mpeg=38;5;13:*.m2v=38;5;13:*.mkv=38;5;13:*.webm=38;5;13:*.ogm=38;5;13:*.mp4=38;5;13:*.m4v=38;5;13:*.mp4v=38;5;13:*.vob=38;5;13:*.qt=38;5;13:*.nuv=38;5;13:*.wmv=38;5;13:*.asf=38;5;13:*.rm=38;5;13:*.rmvb=38;5;13:*.flc=38;5;13:*.avi=38;5;13:*.fli=38;5;13:*.flv=38;5;13:*.gl=38;5;13:*.dl=38;5;13:*.xcf=38;5;13:*.xwd=38;5;13:*.yuv=38;5;13:*.cgm=38;5;13:*.emf=38;5;13:*.ogv=38;5;13:*.ogx=38;5;13:*.aac=38;5;45:*.au=38;5;45:*.flac=38;5;45:*.m4a=38;5;45:*.mid=38;5;45:*.midi=38;5;45:*.mka=38;5;45:*.mp3=38;5;45:*.mpc=38;5;45:*.ogg=38;5;45:*.ra=38;5;45:*.wav=38;5;45:*.oga=38;5;45:*.opus=38;5;45:*.spx=38;5;45:*.xspf=38;5;45: LANG=en_US.UTF-8 HOSTNAME=rhel8.test.example.local MAIL=/var/spool/mail/testuser TERM=xterm-256color HISTSIZE=10000 PATH=/sbin:/bin:/usr/sbin:/usr/bin LOGNAME=root USER=root HOME=/root SHELL=/bin/bash SUDO_COMMAND=/root/dir1/script SUDO_USER=testuser SUDO_UID=1011 SUDO_GID=1012]
~~~
Comment 1 Radovan Sroka 2023-01-03 10:39:11 UTC 
It seems that if there are multiple symlinks with the same target in sudoers, sudo will always chose the last one.
I don't consider this to be somehow critical. It is very likely present on all RHELs.

I've created an issue on upstream:

https://github.com/sudo-project/sudo/issues/228
Comment 3 Radovan Sroka 2023-01-11 09:41:08 UTC 
Apparently sudo's upstream is not willing to fix it. 
There is high risk that fix will introduce bugs.

It's not trivial.
Comment 6 Radovan Sroka 2023-08-16 14:35:24 UTC 
This bug is going to be migrated.

Contact point for migration questions or issues: rsroka
Guidance for Bugzilla users to test their Jira account or create one if needed:

https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016394
https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016694
https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016774
Note You need to log in before you can comment on or make changes to this bug.