sudo-rs icon indicating copy to clipboard operation
sudo-rs copied to clipboard
verified publisher icon memorysafety

sudoers: double negation via User_Alias does not work as expected

Open japaric opened this issue 2 years ago • 1 comments

relevant test

https://github.com/memorysafety/sudo-rs/blob/6825e1234323da82c804a58214266db9b035eb6e/test-framework/sudo-compliance-tests/src/sudoers/user_list.rs#L207-L238

given the above sudoers file

sudo-rs: sudo true as ghost fails with Error: Authentication("no permission")

ogsudo: that operations works

japaric avatar Mar 30 '23 18:03 japaric

I've consulted with "upstream" about this issue.

If it turns out that this special interpretation of negation is an important feature of aliases, I think we can implement it by--after doing the topological sort of aliases we already do, i.e. without having to do it recursively--by just substituting the alias-mentions in the abstract syntax tree (distributing the negations over the elements of the alias definition if necessary).

And then we should document it clearly in the user-facing documentation.

squell avatar Apr 03 '23 16:04 squell

Forgot to report back on this issue: Todd thinks our behaviour is reasonable here (and unlikely to have an impact on real-world sudoers files). I think the proper fix here is to not change our alias implementation but emit diagnostics when an alias is made which has a negation that is not preceded by ALL (i.e. something like "this negation is probably ignored").

squell avatar Jun 14 '23 10:06 squell

There is a snag, e.g.

User_Alias FOO = !ghost
ALL, FOO host = ALL

Would allow everybody except ghost to run something in ogsudo, but would allow everyone to run a command using sudo-rs. So probably the safest/simplest way is to implement sudo's alias handling.

squell avatar Jun 19 '23 17:06 squell