Negation within a Cmnd_Alias not honored

Release Date:

December 6, 2009

Summary:

A flaw exists in sudo versions 1.7.0 to 1.7.2p1 that caused the negation operator to have no effect when used in a Cmnd_Alias.

Sudo versions affected:

1.7.0 through 1.7.2p1 inclusive.

Details:

Sudo uses the Cmnd_Alias syntax for named groups of commands the sudoers file. The Cmnd_Alias is expanded when command matching is performed as sudo checks whether a user is allowed to run a particular command. There is a flaw in the code that matches lists of commands where the negation operator was applied twice. This can result in a command being allowed that was intended to be explicitly disallowed. For example, give the following sudoers file fragment:
Cmnd_Alias PASSWORD = /usr/bin/passwd [A-Za-z0-9]*, !/usr/bin/passwd root, !/usr/bin/passwd ""

millert ALL = PASSWORD
User millert should not be allowed to change root's password. However, due to the bug, running either sudo password root or sudo password would succeed.

Impact:

Users that should be allowed to run a limited set of commands may be able to run unauthorized commands.

Fix:

The bug is fixed in sudo 1.7.2p2.