sudo/sudoers ignores command argument quoting
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| sudo (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
In sudoers I have:
mai ALL=(root) NOPASSWD: /usr/bin/sux warcraft $HOME/run_roc
When I run:
sudo sux warcraft '$HOME/run_roc'
Warcraft starts up correctly, without needing a password, as the warcraft user:
mai@mini:~$ sudo sux warcraft '$HOME/run_roc'
wine: cannot find L"C:\\windows\
# more wine warnings... warcraft starts
However if I rearrange the single quotes...
mai@mini:~$ sudo sux 'warcraft $HOME/run_roc'
warcraft@
I get a shell for warcraft...
sudo seems to match commands in sudoers as if the arguments are not quoted, allowing users to run commands that they should be prevented from running. This could lead to users gaining extra privileges or in some way damaging the system.
Ubuntu 12.04.2 LTS
sudo version 1.8.3p1-1ubuntu3.4
| Marc Deslauriers (mdeslaur) wrote Bug is not a security issue | #1 |
| information type: | Private Security → Public |
Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.