Sudo on Solaris since 1.9.14p2 does not support PRIVS

sudo-project / sudo

Utility to execute a command as another user

https://www.sudo.ws

Other

1.2k stars 224 forks source link

Sudo on Solaris since 1.9.14p2 does not support PRIVS #336

Closed vlmarek closed 11 months ago

vlmarek commented 11 months ago

Before https://github.com/sudo-project/sudo/commit/db704c22ec248c871907cfd966091a28332e1d0f.patch This works:

$ useradd -b /var/tmp -m -s /bin/bash luser

/etc/sudoers:
luser ALL = () PRIVS="basic,dtrace_kernel,dtrace_proc,dtrace_user" NOPASSWD: /usr/sbin/dtrace, /usr/bin/bash

$ sudo -u luser sudo bash -c 'id; ppriv $$'
uid=100(luser) gid=10(staff)
17186:  ppriv 17186
flags = <none>
        E: basic,dtrace_kernel,dtrace_proc,dtrace_user
        I: basic,dtrace_kernel,dtrace_proc,dtrace_user
        P: basic,dtrace_kernel,dtrace_proc,dtrace_user
        L: basic,dtrace_kernel,dtrace_proc,dtrace_user

With the change noted above:

$ sudo -u luser sudo bash -c 'id; ppriv $$'
Password:
sudo: a password is required

And neither works

$ sudo su - luser
$ sudo ppriv $$
Password: 
sudo: a password is required

I have to say I don't understand the code yet, but maybe it is something "obvious" for you?

Thank you __ Vlad

millert commented 11 months ago

Sorry, but it was never intended to work that way. Since sudo runs commands by root as default, you need to explicitly specify the user to run a command as a user other than root, even the current user. The previous behavior was a bug. The correct usage would be:

$ sudo -u luser bash -c 'id; ppriv $$'

However, I just discovered a different bug introduced in sudo 1.9.15 that prevents Solaris privs from being applied. That bug is fixed by de242c57388b1c7f319010708799153b930bfd55.

vlmarek commented 11 months ago

Thank you for quick reply! I admit that the command line is not how someone would use sudo in real life. But if I understand correctly you say that running just sudo to get elevated (Solaris) privileges is not supported. In an example:

$ id -a
uid=100(luser) gid=10(staff) groups=10(staff)

# Here sudo does not give me privileges:
$ sudo bash -c 'id; ppriv $$'
Password: 

# But here specifying "-u luser" even though I am luser it does:
$ sudo -u luser bash -c 'id; ppriv $$'
uid=100(luser) gid=10(staff)
14538:  ppriv 14538
flags = <none>
        E: basic,dtrace_kernel,dtrace_proc,dtrace_user
        I: basic,dtrace_kernel,dtrace_proc,dtrace_user
        P: basic,dtrace_kernel,dtrace_proc,dtrace_user
        L: basic,dtrace_kernel,dtrace_proc,dtrace_user

If that is so then I misunderstood it and I am sorry about it. And this bug can be closed. Or do you say this is what the second fix you have just done is about? I will retest it.

Many thanks! __ Vlad

millert commented 11 months ago

Yes, that is correct. This command:

$ sudo bash -c 'id; ppriv $$'

is equivalent to:

$ sudo -u root bash -c 'id; ppriv $$'

So you need to run

sudo -u luser bash -c 'id; ppriv $$'

even if you are already luser.