Bug 571858 - command paths in config that end in *.* let any command be run
command paths in config that end in *.* let any command be run
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: sudo (Show other bugs)
5.4
All Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Kopeček
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-03-09 12:53 EST by Chris
Modified: 2011-08-22 08:15 EDT (History)
3 users (show)

See Also:
Fixed In Version: 1.7.2p1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-08-22 08:15:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris 2010-03-09 12:53:34 EST
Description of problem:
I was trying to figure out why our tech support couldn't run some
commands from an /app/bin/ directory.  When I tried an experiment with
/app/bin/*.*, I found that I could then run any command that I wanted.

Version-Release number of selected component (if applicable):
1.6.9p17

How reproducible:
Always

Steps to Reproduce:
1.Setup a runnable command path that ends in *.*
2.Run any privileged command that should not be allowed.
3.
  
Actual results:
[~]# sudo /sbin/iptables
...
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap sudoCommand '/bin/zcat' ... not
sudo: ldap sudoCommand '/usr/local/bin/gem' ... not
sudo: ldap sudoCommand '/usr/bin/tail' ... not
sudo: ldap sudoCommand '/bin/ls' ... not
sudo: ldap sudoCommand '/bin/grep' ... not
sudo: ldap sudoCommand '/bin/cat' ... not
sudo: ldap sudoCommand '/usr/bin/pear' ... not
sudo: ldap sudoCommand '/usr/local/bin/pear' ... not
sudo: ldap sudoCommand '/usr/local/php5/bin/pear' ... not
sudo: ldap sudoCommand '/usr/bin/gem' ... not
sudo: ldap sudoCommand '/usr/bin/nano' ... not
sudo: ldap sudoCommand '/usr/bin/rvim' ... not
sudo: ldap sudoCommand '/usr/sbin/exim' ... not
sudo: ldap sudoCommand '/usr/sbin/exiwhat' ... not
sudo: ldap sudoCommand '/usr/sbin/pam_abl' ... not
sudo: ldap sudoCommand '/app/bin/*' ... not
sudo: ldap sudoCommand '/app/bin/*.*' ... MATCH!
sudo: ldap sudoRunAs 'root' ... MATCH!
sudo: Perfect Matched!
sudo: ldap sudoOption: '!authenticate'
sudo: user_matches=-1
sudo: host_matches=-1
sudo: sudo_ldap_check(0)=0x22
iptables v1.3.5: no command specified
Try `iptables -h' or 'iptables --help' for more information.



Expected results:
Commands that aren't listed in the config or aren't in those paths should not execute.

Additional info:
I originally filed this with the sudo bug tracker.  I was told this had been fixed in 1.6.9p19.
http://www.gratisoft.us/bugzilla/show_bug.cgi?id=397
Comment 1 Tomas Hoger 2010-04-08 09:21:44 EDT
Were you able to reproduce with local sudoers too?  What is the exact sudo version?  Do you still see the problem with 1.7.2p1 from RHEL-5.5:
  http://rhn.redhat.com/errata/RHBA-2010-0212.html
Comment 2 Chris 2010-09-07 10:36:22 EDT
I apologize for the huge delay in response.  I somehow completely forgot that I filed this bug.

Everything is working correctly with 1.7.2p1.

Note You need to log in before you can comment on or make changes to this bug.