December 6, 2009
A flaw exists in sudo versions 1.7.0 to 1.7.2p1 that caused the
negation operator to have no effect when used in a Cmnd_Alias.
Sudo versions affected:
1.7.0 through 1.7.2p1 inclusive.
Sudo uses the Cmnd_Alias
syntax for named groups of commands
file. The Cmnd_Alias
when command matching is performed as sudo checks whether
a user is allowed to run a particular command.
There is a flaw in the code that matches lists of commands where
the negation operator was applied twice. This can result in a
command being allowed that was intended to be explicitly disallowed.
For example, give the following sudoers
Cmnd_Alias PASSWORD = /usr/bin/passwd [A-Za-z0-9]*, !/usr/bin/passwd root, !/usr/bin/passwd ""
millert ALL = PASSWORD
User millert should not be allowed to change root's password.
However, due to the bug, running either sudo password root
or sudo password
Users that should be allowed to run a limited set of commands may
be able to run unauthorized commands.
The bug is fixed in sudo 1.7.2p2.