sudo-rs icon indicating copy to clipboard operation
sudo-rs copied to clipboard

Published 20 hours ago verified publisher icon memorysafety

diagnostics improvements TODO list

Open japaric opened this issue 2 years ago • 3 comments
trafficstars

  • [x] sudo -g ghosts where the target group does not exist. relevant test
    • ogsudo: sudo: unknown group: ghosts
    • sudo-rs: Error: GroupNotFound("ghosts")
  • [x] sudo -u ghost where the target user does not exist. relevant test
    • ogsudo: sudo: unknown user: ghost
    • sudo-rs: UserNotFound("ghost")
  • [x] sudoers is group writable. relevant test
    • ogsudo: /etc/sudoers is owned by gid 1234, should be 0
    • sudo-rs: Error: Configuration("no valid sudoers file: /etc/sudoers.test cannot be group-writable")"
  • [x] sudoers is world writable. relevant test
    • ogsudo: sudo: /etc/sudoers is world writable
    • sudo-rs: Error: Configuration("no valid sudoers file: /etc/sudoers.test cannot be world-writable")
  • [x] sudoers is not owned by root. relevant test
    • ogsudo: sudo: /etc/sudoers is owned by uid 1000, should be 0
    • sudo-rs: Error: Configuration("no valid sudoers file: /etc/sudoers.test cannot be world-writable")
  • [ ] user is in sudoers but other user spec constraints are not met. relevant tests: cmnd (2 tests), run_as (6 tests)
    • ogsudo: user root is not allowed to execute '/bin/true' as root
    • sudo-rs: Error: Authentication("no permission")
  • [ ] sudoers: hostname mismatch. relevant tests: 1, 2
    • ogsudo: root is not allowed to run sudo on HOSTNAME
    • sudo-rs: Error: Authentication("no permission")
  • [ ] user is not in sudoers. relevant tests: 1, 2
    • ogsudo: root is not in the sudoers file
    • sudo-rs: Error: Authentication("no permission")
  • [x] program not found in PATH. relevant test
    • ogsudo: sudo: my-script: command not found
    • sudo-rs: Error: InvalidCommand
  • [x] sudo -g #1234 where the target grout does not exist. relevant test
    • ogsudo: sudo: unknown group: #1234
    • sudo-rs: Error: GroupNotFound("#1234")
  • [x] sudo -u #1234 where the target user does not exist. relevant test
    • ogsudo: sudo: unknown user: #1234
    • sudo-rs: Error: UserNotFound("#1234")
  • [x] invoking user is not in the passwd database. relevant test
    • ogsudo: Error: UserNotFound("current user")
    • sudo-rs: sudo: you do not exist in the passwd database
  • [ ] using --chdir flag when CWD is not set in sudoers. relevant test
    • ogsudo: you are not permitted to use the -D option with /path/to/command
    • sudo-rs: authentication failed, no permission (could be more precise)
  • [ ] no password provided. relevant test
    • ogsudo: no password was provided
    • sudo-rs: sudo-rs: PAM error: PAM returned an error (AuthError): Authentication failure (looks like debug representation)
  • [ ] wrong password provided. relevant test
    • ogsudo: incorrect password attempt
    • sudo-rs: sudo-rs: PAM error: PAM returned an error (AuthError): Authentication failure (looks like debug representation)
  • [ ] SHELL=/does/not/exist sudo -s. relevant test
    • ogsudo: sudo: /does/not/exist: command not found
    • sudo-rs: IO error: No such file or directory (it could mention the program's path)
  • [ ] SHELL=/non/executable/file sudo -s. relevant test
    • ogsudo: sudo: /non/executable/file: command not found
    • sudo-rs: IO error: Permission denied (it could mention the program's path)
  • [ ] sudo -u ferris -i where the target user's shell does not exist. relevant test
    • ogsudo: sudo: /does/not/exist: command not found
    • sudo-rs: IO error: No such file or directory (it could mention the program's path)
  • [ ] sudo -u ferris -i where the target user does not have sufficient permissions to use the shell. relevant test
    • ogsudo: sudo: /root/some-shell: command not found
    • sudo-rs: IO error: Permission denied (it could mention the program's path)

japaric avatar Mar 31 '23 13:03 japaric

I've left some of the bullet lists open, as we just give a (temporarily playful) "not allowed" message; I think that is a pretty good error message; as soon as we do sudo -l we can easily retrieve more detailed information why authentication failed (if we care to inform the user).

One reason to delay that would be that right now the check_permission function is pretty tiny (and "in the critical path"), whereas anything we would do for sudo -l would not be.

squell avatar Apr 04 '23 14:04 squell

Using sudo-rs a bit, I think the error messages are still very clunky, like: sudo-rs: PAM error: PAM returned an error (AuthError): Authentication failure.

This makes sense from a programmer POV, but this is one of the error modes normal users that don't know (or need to know) what PAM is are going to see a lot and it should be a nice message like

sudo-rs: authentication failed

We should probably get rid of ThisError since it makes it easy to make user experience mistakes like this.

squell avatar Apr 14 '23 19:04 squell

Note: error messages are still a bit messy, e.g. extra quotes around

sudo-rs: `"foo"': command not found

squell avatar May 16 '23 12:05 squell