Closed ivan3182 closed 3 years ago
Thanks for the report, this is indeed a bug and this not matching the documentation I consider it a security issue and have requested a CVE for it (CVE-2019-25016), this used to be the default behavior but should have been correctly changed in 2019.
One nuance about this is that the users PATH
will be used when executing the first command if the rule allows any command,
so with the rule permit :wheel
, PATH=~/bin doas foo
will execute foo
from ~/bin
.
If the rule limits the execution to a specific command then the "safe" PATH is used, permit :wheel cmd foo
would not execute ~/bin/foo
(in this case the reset the PATH variable was already correct before this fix).
This means before the fix, users who only had access to execute a specific command were not able to execute other command through a "unsafe" PATH.
Users who were allowed to execute anything could change PATH to execute more things from PATH.
This has been fixed in https://github.com/Duncaen/OpenDoas/commit/d5acd52e2a15c36a8e06f9103d35622933aa422d.
If you want to be credited in the CVE as Discoverer, please tell me a name and I will request an update for the CVE.
After the fix (OpenDoas 6.8.1) it is possible to execute script from ~/.local/bin
even though it is not in path
Is this intentional?
user@gentoo ~
> $ cat /etc/doas.conf
permit :wheel
user@gentoo ~
> $ cat /home/user/.local/bin/check-doas.sh
#!/bin/bash
whoami
echo "${PATH}"
user@gentoo ~
> $ check-doas.sh
user
/home/user/.local/bin:/home/user/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/lib/llvm/10/bin
user@gentoo ~
> $ doas env | grep ^PATH
doas (user@gentoo) password:
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
user@gentoo ~
> $ doas check-doas.sh
doas (user@gentoo) password:
root
/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
on OpenBSD it says doas: check-doas.sh: command not found
Yes that is how it works for rules that allow a user to execute any command (permit :wheel
), in this case the executing users PATH
is used.
For rules that allow to execute only specific commands (permit :wheel cmd check-doas.sh
), the default path is used.
This is exactly how it works in the original doas and also in sudo.
on OpenBSD it says doas: check-doas.sh: command not found
Then you did not add ~/.local/bin
to your PATH
.
OpenDoas version: 6.8 System: Gentoo, Debian 10 /etc/doas.conf content:
permit :wheel
man doas says that variable PATH is set to value appropriate for the target user, but current value preserves:
expected value: