search

sudo-project / sudo

Utility to execute a command as another user
https://www.sudo.ws
Other
1.15k stars 208 forks source link

Default user changed without warning #290

Closed rodrigorc closed 1 year ago

rodrigorc commented 1 year ago

Hi! I recently upgraded from sudo 1.9.13.p3 to 1.9.14.p1 in my ArchLinux system, and the default user for sudo changed automatically from root to my regular user rodrigo. That is when I run sudo -i it used to start a root shell, now it starts a rodrigo shell, with is quite useless. The obvious workaround -after I panicked and though I had a rootkit and recovered, is to run sudo -i -u root.

I've checked my customized configuration and it all comes down to this custom rule in my sudoers.d subdir:

ALL ALL=(:mygroup) NOPASSWD: ALL

I changed it to:

ALL ALL=(ALL:mygroup) NOPASSWD: ALL

and everything is back to normal. So no real harm done.

I'm opening this issue to the benefit of other that may encounter this. Is it a bug? A fix of a pre-existing bug? Or a subtle change in the intended behavior? I checked the change-logs and saw nothing about this.

rodrigorc commented 1 year ago

Now, writing:

ALL ALL=(ALL:mygroup) NOPASSWD: ALL

allows me to run any command as root without password, that is not good! I could change it to:

ALL ALL=(rodrigo:mygroup) NOPASSWD: ALL

but that means that any user can run any command as rodrigo without password, that is not my intention. I would like any user to run a command as group mygroup but with its own uid.

millert commented 1 year ago

Thanks for your report. A bug was introduced in sudo 1.9.14 where a line like:

ALL ALL=(:mygroup) NOPASSWD: ALL

can match if no user was explicitly specified on the command line (e.g. sudo -u), overriding an earlier rule. I'm investigating it now and should have a new sudo release out with a fix early next week.

In the meantime, you should be able to work around the problem by changing the order of the sudoers rules. Since sudo takes the last match if the above rule is parsed before a rule like:

rodrigo ALL = ALL

then the later rule will be the one that matches.

rodrigorc commented 1 year ago

Thanks @millert for the quick answer!

I moved the line for the wheel group:

%wheel ALL=(ALL:ALL) ALL

to the very end of the sudoers file, and it works fine again.

millert commented 1 year ago

Closing this now that sudo 1.9.14p2 is out.