diff options
author | Todd C. Miller <Todd.Miller@sudo.ws> | 2023-03-03 11:12:18 -0700 |
---|---|---|
committer | Todd C. Miller <Todd.Miller@sudo.ws> | 2023-03-03 11:12:18 -0700 |
commit | 8f387cb9b281a4f9ba68252f0ded3b00ea042593 (patch) | |
tree | f22e815ced33b4ecb39c0f11bd7c01901206de10 | |
parent | 9f716b2043d8e89fc78230cc4afe0aa29610d6c4 (diff) | |
download | sudo-8f387cb9b281a4f9ba68252f0ded3b00ea042593.tar.gz |
Fix "sudo -l command args", broken in sudo 1.9.13.
The value of user_args should not contain the command to be run in
"sudo -l command args", only the arguments of the command being checked.
This restores the pre-1.9.13 behavior. GitHub issue #249
-rw-r--r-- | plugins/sudoers/logging.c | 6 | ||||
-rw-r--r-- | plugins/sudoers/parse.c | 4 | ||||
-rw-r--r-- | plugins/sudoers/sudoers.c | 9 |
3 files changed, 13 insertions, 6 deletions
diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c index d427064c3..2518e9722 100644 --- a/plugins/sudoers/logging.c +++ b/plugins/sudoers/logging.c @@ -322,9 +322,9 @@ log_denial(int status, bool inform_user) "sudo on %s.\n"), user_name, user_srunhost); } else { sudo_printf(SUDO_CONV_ERROR_MSG, _("Sorry, user %s is not allowed " - "to execute '%s%s%s' as %s%s%s on %s.\n"), - user_name, user_cmnd, user_args ? " " : "", - user_args ? user_args : "", + "to execute '%s%s%s%s' as %s%s%s on %s.\n"), + user_name, user_cmnd, list_cmnd ? list_cmnd : "", + user_args ? " " : "", user_args ? user_args : "", list_pw ? list_pw->pw_name : runas_pw ? runas_pw->pw_name : user_name, runas_gr ? ":" : "", runas_gr ? runas_gr->gr_name : "", user_host); diff --git a/plugins/sudoers/parse.c b/plugins/sudoers/parse.c index df5405709..ec1e2a09a 100644 --- a/plugins/sudoers/parse.c +++ b/plugins/sudoers/parse.c @@ -1067,8 +1067,8 @@ display_cmnd(struct sudo_nss_list *snl, struct passwd *pw) break; } if (match == ALLOW) { - /* For "sudo -l cmd" user_args includes the command being checked. */ - const int len = sudo_printf(SUDO_CONV_INFO_MSG, "%s\n", user_args); + const int len = sudo_printf(SUDO_CONV_INFO_MSG, "%s%s%s\n", + list_cmnd, user_args ? " " : "", user_args ? user_args : ""); ret = len < 0 ? -1 : true; } debug_return_int(ret); diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c index 9ae5f96c6..db659868e 100644 --- a/plugins/sudoers/sudoers.c +++ b/plugins/sudoers/sudoers.c @@ -1079,7 +1079,14 @@ set_cmnd(void) /* set user_args */ free(user_args); user_args = NULL; - if (NewArgc > 1) { + if (ISSET(sudo_mode, MODE_CHECK)) { + if (NewArgc > 2) { + /* Skip the command being listed in NewArgv[1]. */ + user_args = strvec_join(NewArgv + 2, ' ', NULL); + if (user_args == NULL) + debug_return_int(NOT_FOUND_ERROR); + } + } else if (NewArgc > 1) { if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL) && ISSET(sudo_mode, MODE_RUN)) { /* |