Bug 531369 - unable to consistently exec lengthy commands which should be permitted with wildcard + NOPASSWD in sudoers
unable to consistently exec lengthy commands which should be permitted with w...
Status: CLOSED DUPLICATE of bug 521778
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: sudo (Show other bugs)
5.3
i386 Linux
low Severity high
: rc
: ---
Assigned To: Daniel Kopeček
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-10-27 17:49 EDT by Nick Silkey
Modified: 2009-10-30 09:10 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-10-30 09:10:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Nick Silkey 2009-10-27 17:49:46 EDT
Description of problem:
When using a wildcard in a NOPASSWD sudoers statement, lengthy command paths which fall under the wildcard pattern sometimes fail to permit access.


Version-Release number of selected component (if applicable):
sudo-1.6.9p17-3.el5
Red Hat Enterprise Linux Server release 5.3 (Tikanga)


How reproducible:
Everytime


Steps to Reproduce:
1. Stand up a wildcard permit in sudoers with NOPASSWD.
2. Matching the wildcard pattern, try to execute a lengthy command.
(See example below) 

  
Actual results:
User is prompted for a password even though NOPASSWD is specified (and returned with a sudo -l as the user).


Expected results:
User should be permitted to exec with NOPASSWD.


Additional info:
[root@vm-dpltstapp-01 ~]# cd /etc/init.d/
[root@vm-dpltstapp-01 init.d]# md5sum memcached-dpltst-01.yale.edu memcached1
7261557266ed1a201908e8c91dc55a8f  memcached-dpltst-01.yale.edu
7261557266ed1a201908e8c91dc55a8f  memcached1
[root@vm-dpltstapp-01 init.d]# md5sum memcached-dpltst-02.yale.edu memcached2
6887b35587593b487cb32c12639448b8  memcached-dpltst-02.yale.edu
6887b35587593b487cb32c12639448b8  memcached2
[root@vm-dpltstapp-01 init.d]# su - anta
[anta@vm-dpltstapp-01 ~]$ sudo -l
User anta may run the following commands on this host:
    (root) NOPASSWD: /etc/init.d/httpd graceful
    (root) NOPASSWD: /etc/init.d/memcached*
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached1 
Usage: /etc/init.d/memcached1 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached2
Usage: /etc/init.d/memcached2 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-01.yale.edu 
Usage: /etc/init.d/memcached-dpltst-01.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-02.yale.edu 
Password: 
Password: 
[anta@vm-dpltstapp-01 ~]$ echo "/etc/init.d/memcached1" | wc
      1       1      23
[anta@vm-dpltstapp-01 ~]$ echo "/etc/init.d/memcached-dpltst-01.yale.edu" | wc
      1       1      41
[anta@vm-dpltstapp-01 ~]$ cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 5.3 (Tikanga)
[anta@vm-dpltstapp-01 ~]$ rpm -qa | grep ^sudo
sudo-1.6.9p17-3.el5
Comment 1 Nick Silkey 2009-10-27 18:02:11 EDT
These are the offending sudoers bits:

[root@vm-dpltstapp-01 init.d]# grep ANTUSERS /etc/sudoers
User_Alias ANTUSERS=anta
ANTUSERS DPLWEBSYS = NOPASSWD: /etc/init.d/httpd graceful, /etc/init.d/memcached*

Which yields the following reproducible behavior:

[root@vm-dpltstapp-01 init.d]# su - anta
[anta@vm-dpltstapp-01 ~]$ sudo -l
User anta may run the following commands on this host:
    (root) NOPASSWD: /etc/init.d/httpd graceful
    (root) NOPASSWD: /etc/init.d/memcached*
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached1 
Usage: /etc/init.d/memcached1 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached2
Usage: /etc/init.d/memcached2 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-01.yale.edu 
Usage: /etc/init.d/memcached-dpltst-01.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-02.yale.edu 
Password: 
Password: 
[anta@vm-dpltstapp-01 ~]$ 

Which yields the following in secure:

Oct 27 17:58:46 vm-dpltstapp-01 su: pam_unix(su-l:session): session opened for user anta by rs253(uid=0)
Oct 27 17:59:01 vm-dpltstapp-01 sudo:     anta : TTY=pts/0 ; PWD=/home/anta ; USER=root ; COMMAND=list
Oct 27 17:59:07 vm-dpltstapp-01 sudo:     anta : TTY=pts/0 ; PWD=/home/anta ; USER=root ; COMMAND=/etc/init.d/memcached1
Oct 27 17:59:09 vm-dpltstapp-01 sudo:     anta : TTY=pts/0 ; PWD=/home/anta ; USER=root ; COMMAND=/etc/init.d/memcached2
Oct 27 17:59:14 vm-dpltstapp-01 sudo:     anta : TTY=pts/0 ; PWD=/home/anta ; USER=root ; COMMAND=/etc/init.d/memcached-dpltst-01.yale.edu
Oct 27 17:59:25 vm-dpltstapp-01 sudo: pam_krb5[24183]: authentication fails for 'anta' (anta@NET.YALE.EDU): User not known to the underlying authentication module (Client not found in Kerberos database)
Oct 27 17:59:25 vm-dpltstapp-01 sudo: pam_unix(sudo:auth): authentication failure; logname=rs253 uid=0 euid=0 tty=/dev/pts/0 ruser= rhost=  user=anta
Oct 27 17:59:30 vm-dpltstapp-01 su: pam_unix(su-l:session): session closed for user anta

NB: We kerberize sudo, but anta is a local account which doesnt exist in the KDCs.  I assume the net.yale.edu line is due to the carriage returns I sent when greeted with the unexpected 'Password:' prompt.
Comment 2 Nick Silkey 2009-10-28 11:48:50 EDT
Additional hacking on the permitin sudoers:

/etc/init.d/*
===
[anta@vm-dpltstapp-01 ~]$ sudo -l
User anta may run the following commands on this host:
    (root) NOPASSWD: /etc/init.d/httpd graceful
    (root) NOPASSWD: /etc/init.d/* 
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached1 
Usage: /etc/init.d/memcached1 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached2
Usage: /etc/init.d/memcached2 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached3 
Usage: /etc/init.d/memcached3 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-01.yale.edu 
Usage: /etc/init.d/memcached-dpltst-01.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-02.yale.edu 
Usage: /etc/init.d/memcached-dpltst-02.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-03.yale.edu 
Usage: /etc/init.d/memcached-dpltst-03.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ md5sum /etc/init.d/memcached1 /etc/init.d/memcached-dpltst-01.yale.edu 
7261557266ed1a201908e8c91dc55a8f  /etc/init.d/memcached1
7261557266ed1a201908e8c91dc55a8f  /etc/init.d/memcached-dpltst-01.yale.edu
[anta@vm-dpltstapp-01 ~]$ md5sum /etc/init.d/memcached2 /etc/init.d/memcached-dpltst-02.yale.edu 
6887b35587593b487cb32c12639448b8  /etc/init.d/memcached2
6887b35587593b487cb32c12639448b8  /etc/init.d/memcached-dpltst-02.yale.edu
[anta@vm-dpltstapp-01 ~]$ md5sum /etc/init.d/memcached3 /etc/init.d/memcached-dpltst-03.yale.edu 
8e3b1d61552c7055f6d3f9ddaf83d025  /etc/init.d/memcached3
8e3b1d61552c7055f6d3f9ddaf83d025  /etc/init.d/memcached-dpltst-03.yale.edu


/etc/init.d/m*
===
[anta@vm-dpltstapp-01 ~]$ sudo -l
User anta may run the following commands on this host:
    (root) NOPASSWD: /etc/init.d/httpd graceful
    (root) NOPASSWD: /etc/init.d/m*
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached1 
Usage: /etc/init.d/memcached1 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached2
Usage: /etc/init.d/memcached2 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached3 
Usage: /etc/init.d/memcached3 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-01.yale.edu 
Usage: /etc/init.d/memcached-dpltst-01.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-02.yale.edu 
Password: 
Password: 
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-03.yale.edu 
Usage: /etc/init.d/memcached-dpltst-03.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ md5sum /etc/init.d/memcached1 /etc/init.d/memcached-dpltst-01.yale.edu 
7261557266ed1a201908e8c91dc55a8f  /etc/init.d/memcached1
7261557266ed1a201908e8c91dc55a8f  /etc/init.d/memcached-dpltst-01.yale.edu
[anta@vm-dpltstapp-01 ~]$ md5sum /etc/init.d/memcached2 /etc/init.d/memcached-dpltst-02.yale.edu 
6887b35587593b487cb32c12639448b8  /etc/init.d/memcached2
6887b35587593b487cb32c12639448b8  /etc/init.d/memcached-dpltst-02.yale.edu
[anta@vm-dpltstapp-01 ~]$ md5sum /etc/init.d/memcached3 /etc/init.d/memcached-dpltst-03.yale.edu 
8e3b1d61552c7055f6d3f9ddaf83d025  /etc/init.d/memcached3
8e3b1d61552c7055f6d3f9ddaf83d025  /etc/init.d/memcached-dpltst-03.yale.edu
Comment 3 Nick Silkey 2009-10-28 15:27:30 EDT
Setting init scripts to the same:

[anta@vm-dpltstapp-01 init.d]$ sudo -l
User anta may run the following commands on this host:
    (root) NOPASSWD: /etc/init.d/httpd graceful
    (root) NOPASSWD: /etc/init.d/memcached*
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached1
Usage: ./memcached1 {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached2
Usage: ./memcached2 {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached3
Usage: ./memcached3 {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached-dpltst-01.yale.edu 
Usage: ./memcached-dpltst-01.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached-dpltst-02.yale.edu 
Usage: ./memcached-dpltst-02.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached-dpltst-03.yale.edu 
Usage: ./memcached-dpltst-03.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ md5sum memcached*
7261557266ed1a201908e8c91dc55a8f  memcached1
7261557266ed1a201908e8c91dc55a8f  memcached2
7261557266ed1a201908e8c91dc55a8f  memcached3
7261557266ed1a201908e8c91dc55a8f  memcached-dpltst-01.yale.edu
7261557266ed1a201908e8c91dc55a8f  memcached-dpltst-02.yale.edu
7261557266ed1a201908e8c91dc55a8f  memcached-dpltst-03.yale.edu

Setting host to ALL with varying init scripts:

[anta@vm-dpltstapp-01 init.d]$ sudo -l
User anta may run the following commands on this host:
    (root) NOPASSWD: /etc/init.d/httpd graceful
    (root) NOPASSWD: /etc/init.d/memcached*
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached1 
Usage: ./memcached1 {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached2 
Usage: ./memcached2 {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached3 
Usage: ./memcached3 {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached-dpltst-01.yale.edu 
Usage: ./memcached-dpltst-01.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached-dpltst-02.yale.edu 
Usage: ./memcached-dpltst-02.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ sudo ./memcached-dpltst-03.yale.edu 
Usage: ./memcached-dpltst-03.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 init.d]$ md5sum memcached*
7261557266ed1a201908e8c91dc55a8f  memcached1
6887b35587593b487cb32c12639448b8  memcached2
8e3b1d61552c7055f6d3f9ddaf83d025  memcached3
7261557266ed1a201908e8c91dc55a8f  memcached-dpltst-01.yale.edu
6887b35587593b487cb32c12639448b8  memcached-dpltst-02.yale.edu
8e3b1d61552c7055f6d3f9ddaf83d025  memcached-dpltst-03.yale.edu
Comment 4 Nick Silkey 2009-10-28 16:46:25 EDT
The touch function doesnt appear to work as described by RH support:
 
[root@vm-dpltstapp-01 ~]# \mv /etc/init.d/memcached{1,2,3} ~rs253/
[root@vm-dpltstapp-01 ~]# touch /etc/init.d/memcached
[root@vm-dpltstapp-01 ~]# su - anta
[anta@vm-dpltstapp-01 ~]$ sudo -l
User anta may run the following commands on this host:
    (root) NOPASSWD: /etc/init.d/httpd graceful
    (root) NOPASSWD: /etc/init.d/memcached*
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-01.yale.edu  
Usage: /etc/init.d/memcached-dpltst-01.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-02.yale.edu  
Password:  
Password:  
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-03.yale.edu  
Usage: /etc/init.d/memcached-dpltst-03.yale.edu {start|stop|restart}
 
Moreover with the short names gone, the bug persists:
 
[root@vm-dpltstapp-01 ~]# su - anta
[anta@vm-dpltstapp-01 ~]$ sudo -l
User anta may run the following commands on this host:
    (root) NOPASSWD: /etc/init.d/httpd graceful
    (root) NOPASSWD: /etc/init.d/memcached*
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-01.yale.edu  
Usage: /etc/init.d/memcached-dpltst-01.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-02.yale.edu  
Password:  
Password:  
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-03.yale.edu  
Usage: /etc/init.d/memcached-dpltst-03.yale.edu {start|stop|restart}
 
Oddly enough, this appears functional (without stripping the HOST field from the permit):
 
[root@vm-dpltstapp-01 ~]# cp ~rs253/memcached{1,2,3} /etc/init.d/
[root@vm-dpltstapp-01 ~]# su - anta
[anta@vm-dpltstapp-01 ~]$ sudo -l
User anta may run the following commands on this host:
    (root) NOPASSWD: /etc/init.d/httpd graceful
    (root) NOPASSWD: /etc/init.d/memcached*
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached1  
Usage: /etc/init.d/memcached1 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached2  
Usage: /etc/init.d/memcached2 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached3  
Usage: /etc/init.d/memcached3 {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-01.yale.edu  
Usage: /etc/init.d/memcached-dpltst-01.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-02.yale.edu  
Usage: /etc/init.d/memcached-dpltst-02.yale.edu {start|stop|restart}
[anta@vm-dpltstapp-01 ~]$ sudo /etc/init.d/memcached-dpltst-03.yale.edu  
Usage: /etc/init.d/memcached-dpltst-03.yale.edu {start|stop|restart}
Comment 5 Daniel Kopeček 2009-10-30 09:10:10 EDT

*** This bug has been marked as a duplicate of bug 521778 ***

Note You need to log in before you can comment on or make changes to this bug.