Wildcards broken in sudo / sudoers

Bug #228046 reported by pschmied on 2008-05-08
256
Affects Status Importance Assigned to Milestone
sudo
Fix Released
Unknown
sudo (Ubuntu)
Undecided
Unassigned
Declined for Gutsy by Martin Pitt
Hardy
High
Martin Pitt

Bug Description

Binary package hint: sudo

Sudo allows wildcards to be used in pathnames or command line arguments. This behavior appears to be broken in hardy, whereas I can verify that it worked in 7.04 and 7.10.

As an example, if you had a user bob who you wanted to be able to install software via apt-get, but didn't want him to remove software you might add the following entry to your sudoers file via visudo:

bob ALL=/usr/bin/apt-get install [A-z]*

This would enable bob to run "apt-get install $FOO", but not "apt-get remove $FOO"

Under Hardy, bob is out of luck. Bob gets a "Sorry, user bob is not allowed to execute '/usr/bin/apt-get install foo' as root on hostname." error

The "sudoers" man page suggests that the wildcard matching is done via the POSIX fnmatch(3) routine. Could it be that this is failing? I'm not sure how to test for that.

Furthermore, there is a possible (though probably edge-case) local security risk for people bringing rulesets forward that involve wildcard deny statements. As a simple example, I'd like alice to be able to list any file or directory as root, except if the file / directory begins with "foo" because those directories are top secret:

alice ALL = /bin/ls, !/bin/ls foo[A-z]*

I can verify that sudo improperly allows alice to "sudo ls fooSecret"

Sudo behaves correctly when the wildcard match is removed from the negation statement:

alice ALL = /bin/ls, !/bin/ls foo

alice$> sudo ls bar
these files are not secret

alice$> sudo ls foo
Sorry, user alice is not allowed to execute '/bin/ls foo' as root on hostname.

pschmied (peter-thoughtspot) wrote :

Hmm... Has anyone looked at this? Sudo would seem like a bad application to have counter-documented behavior in?

pschmied (peter-thoughtspot) wrote :

Hello? Is anyone even reading this? I'd be okay with a "you're wrong" but it seems bad form to leave a bug tagged as a security bug undecided for over a month.

Is sudo not important? I understand this isn't the most common use case, but having bugs in critical bits of your security infrastructure isn't cool.

Martin Pitt (pitti) wrote :

I confirmed this bug in Hardy.

Changed in sudo:
importance: Undecided → High
status: New → Triaged
Martin Pitt (pitti) wrote :

... and verified that it is fixed in Intrepid.

Changed in sudo:
status: New → Fix Released
status: Triaged → Incomplete
Martin Pitt (pitti) wrote :

Sorry, not fixed in intrepid, I made a typo. Interestingly, [a-Z]* works, although it should not match anything.

Changed in sudo:
status: Incomplete → Triaged
status: Fix Released → Triaged
Martin Pitt (pitti) wrote :

Interestingly, using [a-Z] works, which is ASCIIbetically wrong, though. I submitted a detailled analysis upstream.

Changed in sudo:
status: Unknown → Confirmed
Changed in sudo:
status: Confirmed → In Progress
Changed in sudo:
status: In Progress → Fix Released
Martin Pitt (pitti) wrote :

Quoting upstream:

   "The problem appears to be related to locales. With LANG=en_US.UTF-8
the fnmatch() routine in glibc does not match "foo" against "[A-z]*",
but if LANG is not defined (or if it is defined to "C") the matching
happens as expected. The problem is that [A-z] is fundamentally
non-portable when locales are taken into account. You should either
use [[\:alpha\:]] or [A-Za-z]. I'll update the sudo documentation
accordingly.

I'll apply the upstream patch to intrepid now and think about the impact in Hardy.

Changed in sudo:
status: Triaged → In Progress
Martin Pitt (pitti) wrote :
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sudo - 1.6.9p17-1ubuntu2

---------------
sudo (1.6.9p17-1ubuntu2) intrepid; urgency=low

  * sudo.c: Drop usage of locale again, to revert back to the 1.6.8 behaviour.
    fnmatch() and glob() behave differently under different locales and thus
    cause undefined behaviour with (admittedly underspecified) character range
    globs such as "[a-Z]". Patch taken from upstream CVS, see
    http://www.gratisoft.us/bugzilla/show_bug.cgi?id=296 (LP: #228046)

 -- Martin Pitt <email address hidden> Mon, 01 Sep 2008 15:05:52 +0200

Changed in sudo:
status: In Progress → Fix Released
Martin Pitt (pitti) wrote :

Uploaded to hardy-proposed, awaiting approval from Steve.

Changed in sudo:
assignee: nobody → pitti
status: Triaged → In Progress
Martin Pitt (pitti) wrote :

Accepted into -proposed, please test and give feedback here. Please see https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in sudo:
status: In Progress → Fix Committed
pschmied (peter-thoughtspot) wrote :

I tested the cases outlined in original bug report against the sudo package in -proposed. Sudo now works as documented / expected. Thank you, and please release.

Cheers,
Peter

Martin Pitt (pitti) wrote :

Copied to hardy-updates.

Changed in sudo:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.