-
-
Notifications
You must be signed in to change notification settings - Fork 217
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
runas_userlist_matches: fix matching a Runas_Spec with an empty runas…
… user. We should only match a rule with an empty runas user if a group was specified on the command line (sudo -g) without a user (no -u option) or the user specified their own name on the command line. GitHub issue #290
- Loading branch information
Showing
4 changed files
with
226 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,117 @@ | ||
This should match the 'ALL=ALL' rule. | ||
Parses OK | ||
|
||
Entries for user admin: | ||
|
||
ALL = (admin : staff) NOPASSWD: ALL | ||
host allowed | ||
runas unmatched | ||
|
||
ALL = ALL | ||
host allowed | ||
runas allowed | ||
cmnd allowed | ||
|
||
Command allowed | ||
|
||
This should match the 'ALL=ALL' rule. | ||
Parses OK | ||
|
||
Entries for user admin: | ||
|
||
ALL = ALL | ||
host allowed | ||
runas allowed | ||
cmnd allowed | ||
|
||
Command allowed | ||
|
||
This should match the 'ALL=(:staff) NOPASSWD: ALL' rule. | ||
Parses OK | ||
|
||
Entries for user admin: | ||
|
||
ALL = (admin : staff) NOPASSWD: ALL | ||
host allowed | ||
runas allowed | ||
cmnd allowed | ||
|
||
Command allowed | ||
|
||
This should match the 'ALL=(:staff) NOPASSWD: ALL' rule. | ||
Parses OK | ||
|
||
Entries for user admin: | ||
|
||
ALL = ALL | ||
host allowed | ||
runas unmatched | ||
|
||
ALL = (admin : staff) NOPASSWD: ALL | ||
host allowed | ||
runas allowed | ||
cmnd allowed | ||
|
||
Command allowed | ||
|
||
This should match the 'ALL=(:staff) NOPASSWD: ALL' rule. | ||
Parses OK | ||
|
||
Entries for user admin: | ||
|
||
ALL = ALL | ||
host allowed | ||
runas unmatched | ||
|
||
ALL = (admin : staff) NOPASSWD: ALL | ||
host allowed | ||
runas allowed | ||
cmnd allowed | ||
|
||
Command allowed | ||
|
||
This should match the 'ALL=(:staff) NOPASSWD: ALL' rule. | ||
Parses OK | ||
|
||
Entries for user admin: | ||
|
||
ALL = ALL | ||
host allowed | ||
runas unmatched | ||
|
||
ALL = (admin : staff) NOPASSWD: ALL | ||
host allowed | ||
runas allowed | ||
cmnd allowed | ||
|
||
Command allowed | ||
|
||
This should not match any rules. | ||
Parses OK | ||
|
||
Entries for user admin: | ||
|
||
ALL = ALL | ||
host allowed | ||
runas unmatched | ||
|
||
ALL = (admin : staff) NOPASSWD: ALL | ||
host allowed | ||
runas unmatched | ||
|
||
Command unmatched | ||
|
||
This should not match any rules. | ||
Parses OK | ||
|
||
Entries for user admin: | ||
|
||
ALL = ALL | ||
host allowed | ||
runas unmatched | ||
|
||
ALL = (admin : users) NOPASSWD: ALL | ||
host allowed | ||
runas unmatched | ||
|
||
Command unmatched |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
#!/bin/sh | ||
# | ||
# Verify that a rule with an empty Runas user matches correctly. | ||
# | ||
|
||
: ${TESTSUDOERS=testsudoers} | ||
|
||
exec 2>&1 | ||
|
||
status=0 | ||
|
||
echo "This should match the 'ALL=ALL' rule." | ||
$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group \ | ||
admin /bin/ls <<'EOF' | ||
admin ALL = ALL | ||
ALL ALL=(:staff) NOPASSWD: ALL | ||
EOF | ||
if [ $? -ne 0 ]; then | ||
status=1 | ||
fi | ||
|
||
echo "" | ||
echo "This should match the 'ALL=ALL' rule." | ||
$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group \ | ||
admin /bin/ls <<'EOF' | ||
ALL ALL=(:staff) NOPASSWD: ALL | ||
admin ALL = ALL | ||
EOF | ||
if [ $? -ne 0 ]; then | ||
status=1 | ||
fi | ||
|
||
echo "" | ||
echo "This should match the 'ALL=(:staff) NOPASSWD: ALL' rule." | ||
$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -g staff \ | ||
admin /bin/ls <<'EOF' | ||
admin ALL = ALL | ||
ALL ALL=(:staff) NOPASSWD: ALL | ||
EOF | ||
if [ $? -ne 0 ]; then | ||
status=1 | ||
fi | ||
|
||
echo "" | ||
echo "This should match the 'ALL=(:staff) NOPASSWD: ALL' rule." | ||
$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -g staff \ | ||
admin /bin/ls <<'EOF' | ||
ALL ALL=(:staff) NOPASSWD: ALL | ||
admin ALL = ALL | ||
EOF | ||
if [ $? -ne 0 ]; then | ||
status=1 | ||
fi | ||
|
||
echo "" | ||
echo "This should match the 'ALL=(:staff) NOPASSWD: ALL' rule." | ||
$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -u admin \ | ||
admin /bin/ls <<'EOF' | ||
ALL ALL=(:staff) NOPASSWD: ALL | ||
admin ALL = ALL | ||
EOF | ||
if [ $? -ne 0 ]; then | ||
status=1 | ||
fi | ||
|
||
echo "" | ||
echo "This should match the 'ALL=(:staff) NOPASSWD: ALL' rule." | ||
$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -u admin -g staff \ | ||
admin /bin/ls <<'EOF' | ||
ALL ALL=(:staff) NOPASSWD: ALL | ||
admin ALL = ALL | ||
EOF | ||
if [ $? -ne 0 ]; then | ||
status=1 | ||
fi | ||
|
||
echo "" | ||
echo "This should not match any rules." | ||
$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -g guest \ | ||
admin /bin/ls <<'EOF' | ||
ALL ALL=(:staff) NOPASSWD: ALL | ||
admin ALL = ALL | ||
EOF | ||
if [ $? -eq 0 ]; then | ||
status=1 | ||
fi | ||
|
||
echo "" | ||
echo "This should not match any rules." | ||
$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -u root -g users \ | ||
admin /bin/ls <<'EOF' | ||
ALL ALL=(:users) NOPASSWD: ALL | ||
admin ALL = ALL | ||
EOF | ||
if [ $? -eq 0 ]; then | ||
status=1 | ||
fi | ||
|
||
exit $status |