search

sudo-project / sudo

Utility to execute a command as another user
https://www.sudo.ws
Other
1.17k stars 210 forks source link

Empty Runas_Spec: root or runas_default #186

Closed aayla-secura closed 1 year ago

aayla-secura commented 1 year ago

The man page says:

If both Runas_Lists are empty, the command may only be run as the invoking user and the group, if specified, must be one that the invoking user is a member of. If no Runas_Spec is specified, the command may only be run as root and the group, if specified, must be one that root is a member of.

Also regarding runas_default it says:

runas_default The default user to run commands as if the -u option is not specified on the command line. This defaults to root.

The way I understand it is that runas_default has no effect on Runas_Spec, but merely sets the default value of -u when sudo is invoked, and that an empty Runas_Spec allows running as root in any case.

What I'm seeing though is that a missing Runas_Spec actually allows running the command as runas_default:

Defaults runas_default="ubuntu"
test ALL = /norunas
test ALL = () /emptyrunas
test ALL = (:) /emptyrunas2

results in:

User test may run the following commands on ip-172-31-44-38:
    (ubuntu) /norunas
    (test) /emptyrunas
    (test) /emptyrunas2

Is the man page incorrect or is this a bug?

millert commented 1 year ago

That is the intended behavior, the manual should state that runas_default sets the default when no Runas_Spec is specified.

millert commented 1 year ago

Fixed by d744271