Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default user changed without warning #290

Closed
rodrigorc opened this issue Jul 15, 2023 · 4 comments
Closed

Default user changed without warning #290

rodrigorc opened this issue Jul 15, 2023 · 4 comments

Comments

@rodrigorc
Copy link

Hi!
I recently upgraded from sudo 1.9.13.p3 to 1.9.14.p1 in my ArchLinux system, and the default user for sudo changed automatically from root to my regular user rodrigo. That is when I run sudo -i it used to start a root shell, now it starts a rodrigo shell, with is quite useless.
The obvious workaround -after I panicked and though I had a rootkit and recovered, is to run sudo -i -u root.

I've checked my customized configuration and it all comes down to this custom rule in my sudoers.d subdir:

ALL ALL=(:mygroup) NOPASSWD: ALL

I changed it to:

ALL ALL=(ALL:mygroup) NOPASSWD: ALL

and everything is back to normal. So no real harm done.

I'm opening this issue to the benefit of other that may encounter this. Is it a bug? A fix of a pre-existing bug? Or a subtle change in the intended behavior? I checked the change-logs and saw nothing about this.
@rodrigorc
Copy link
Author

Now, writing:

ALL ALL=(ALL:mygroup) NOPASSWD: ALL

allows me to run any command as root without password, that is not good! I could change it to:

ALL ALL=(rodrigo:mygroup) NOPASSWD: ALL

but that means that any user can run any command as rodrigo without password, that is not my intention. I would like any user to run a command as group mygroup but with its own uid.

@millert
Copy link
Collaborator

millert commented Jul 15, 2023

Thanks for your report. A bug was introduced in sudo 1.9.14 where a line like:

ALL ALL=(:mygroup) NOPASSWD: ALL

can match if no user was explicitly specified on the command line (e.g. sudo -u), overriding an earlier rule. I'm investigating it now and should have a new sudo release out with a fix early next week.

In the meantime, you should be able to work around the problem by changing the order of the sudoers rules. Since sudo takes the last match if the above rule is parsed before a rule like:

rodrigo ALL = ALL

then the later rule will be the one that matches.

millert added a commit that referenced this issue Jul 15, 2023
@millert
runas_userlist_matches: fix matching a Runas_Spec with an empty runas…
db704c2 
… user.

We should only match a rule with an empty runas user if a group was
specified on the command line (sudo -g) without a user (no -u option)
or the user specified their own name on the command line.
GitHub issue #290
@rodrigorc
Copy link
Author

Thanks @millert for the quick answer!

I moved the line for the wheel group:

%wheel ALL=(ALL:ALL) ALL

to the very end of the sudoers file, and it works fine again.

millert added a commit that referenced this issue Jul 16, 2023
@millert
runas_userlist_matches: fix matching a Runas_Spec with an empty runas…
23fc7ab 
… user.

We should only match a rule with an empty runas user if a group was
specified on the command line (sudo -g) without a user (no -u option)
or the user specified their own name on the command line.
GitHub issue #290

--HG--
branch : 1.9
@millert
Copy link
Collaborator

millert commented Jul 17, 2023

Closing this now that sudo 1.9.14p2 is out.

@millert millert closed this as completed Jul 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@millert @rodrigorc