Negation within a Cmnd_Alias not honored

A flaw exists in sudo versions 1.7.0 to 1.7.2p1 that caused the negation operator to have no effect when used in a Cmnd_Alias.

1.7.0 through 1.7.2p1 inclusive.

Sudo uses the Cmnd_Alias syntax for named groups of commands the sudoers file. The Cmnd_Alias is expanded when command matching is performed as sudo checks whether a user is allowed to run a particular command. There is a flaw in the code that matches lists of commands where the negation operator was applied twice. This can result in a command being allowed that was intended to be explicitly disallowed. For example, give the following sudoers file fragment:

Cmnd_Alias PASSWORD = /usr/bin/passwd [A-Za-z0-9]*, !/usr/bin/passwd root, !/usr/bin/passwd ""

millert ALL = PASSWORD

User millert should not be allowed to change root’s password. However, due to the bug, running either sudo password root or sudo password would succeed.

Users that should be allowed to run a limited set of commands may be able to run unauthorized commands.

The bug is fixed in sudo 1.7.2p2.