From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Fri, 7 Aug 2015 18:21:37 +0000 (-0600)
Subject: Emphasize that wildcards in command line arguments are dangerous.
X-Git-Tag: SUDO_1_8_15^2~91
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=329a8dee8aa52f53ea903456dc7c34b1b2a98fbe;p=sudo

Emphasize that wildcards in command line arguments are dangerous.
Document the failings of the passwd example on GNU systems.
Bug #691
---

diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index 1abbd9b5c..4f5dabad3 100644
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -698,7 +698,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
      Would match any file name beginning with a letter.
 
      Note that a forward slash (`/') will nnoott be matched by wildcards used in
-     the path name.  This is to make a path like:
+     the file name portion of the command.  This is to make a path like:
 
          /usr/bin/*
 
@@ -708,10 +708,10 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
      matched by wildcards since command line arguments may contain arbitrary
      strings and not just path names.
 
-     Wildcards in command line arguments should be used with care.  Because
-     command line arguments are matched as a single, concatenated string, a
-     wildcard such as `?' or `*' can match multiple words.  For example, while
-     a sudoers entry like:
+     WWiillddccaarrddss iinn ccoommmmaanndd lliinnee aarrgguummeennttss sshhoouulldd bbee uusseedd wwiitthh ccaarree..
+     Command line arguments are matched as a single, concatenated string.
+     This mean a wildcard such as `?' or `*' will match _m_u_l_t_i_p_l_e words.  For
+     example, while a sudoers entry like:
 
          %operator ALL = /bin/cat /var/log/messages*
 
@@ -2112,8 +2112,16 @@ EEXXAAMMPPLLEESS
      with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups).
 
      The user ppeettee is allowed to change anyone's password except for root on
-     the _H_P_P_A machines.  Note that this assumes passwd(1) does not take
-     multiple user names on the command line.
+     the _H_P_P_A machines.  Because command line arguments are matched as a
+     single, concatenated string, the `*' wildcard will match _m_u_l_t_i_p_l_e words.
+     This example assumes that passwd(1) does not take multiple user names on
+     the command line.  Note that on GNU systems, options to passwd(1) may be
+     specified after the user argument.  As a result, this rule will also
+     allow:
+
+         passwd username --expire
+
+     which may not be desirable.
 
      bob             SPARC = (OP) ALL : SGI = (OP) ALL
 
diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index 1da7ac75c..745310006 100644
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -1519,7 +1519,7 @@ Note that a forward slash
 will
 \fBnot\fR
 be matched by
-wildcards used in the path name.
+wildcards used in the file name portion of the command.
 This is to make a path like:
 .nf
 .sp
@@ -1538,13 +1538,16 @@ When matching the command line arguments, however, a slash
 get matched by wildcards since command line arguments may contain
 arbitrary strings and not just path names.
 .PP
-Wildcards in command line arguments should be used with care.
-Because command line arguments are matched as a single, concatenated
-string, a wildcard such as
+\fBWildcards in command line arguments should be used with care.\fR
+.br
+Command line arguments are matched as a single, concatenated string.
+This mean a wildcard such as
 \(oq\&?\(cq
 or
 \(oq*\(cq
-can match multiple words.
+will match
+\fImultiple\fR
+words.
 For example, while a sudoers entry like:
 .nf
 .sp
@@ -4304,9 +4307,27 @@ is allowed to change anyone's password except for
 root on the
 \fIHPPA\fR
 machines.
-Note that this assumes
+Because command line arguments are matched as a single,
+concatenated string, the
+\(oq*\(cq
+wildcard will match
+\fImultiple\fR
+words.
+This example assumes that
 passwd(1)
 does not take multiple user names on the command line.
+Note that on GNU systems, options to
+passwd(1)
+may be specified after the user argument.
+As a result, this rule will also allow:
+.nf
+.sp
+.RS 4n
+passwd username --expire
+.RE
+.fi
+.PP
+which may not be desirable.
 .nf
 .sp
 .RS 0n
diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index 132959d80..d1f1f9e34 100644
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -1418,7 +1418,7 @@ Note that a forward slash
 will
 .Sy not
 be matched by
-wildcards used in the path name.
+wildcards used in the file name portion of the command.
 This is to make a path like:
 .Bd -literal -offset 4n
 /usr/bin/*
@@ -1434,13 +1434,18 @@ When matching the command line arguments, however, a slash
 get matched by wildcards since command line arguments may contain
 arbitrary strings and not just path names.
 .Pp
+.Bf -symbolic
 Wildcards in command line arguments should be used with care.
-Because command line arguments are matched as a single, concatenated
-string, a wildcard such as
+.Ef
+.br
+Command line arguments are matched as a single, concatenated string.
+This mean a wildcard such as
 .Ql \&?
 or
 .Ql *
-can match multiple words.
+will match
+.Em multiple
+words.
 For example, while a sudoers entry like:
 .Bd -literal -offset 4n
 %operator ALL = /bin/cat /var/log/messages*
@@ -3981,9 +3986,24 @@ is allowed to change anyone's password except for
 root on the
 .Em HPPA
 machines.
-Note that this assumes
+Because command line arguments are matched as a single,
+concatenated string, the
+.Ql *
+wildcard will match
+.Em multiple
+words.
+This example assumes that
 .Xr passwd 1
 does not take multiple user names on the command line.
+Note that on GNU systems, options to
+.Xr passwd 1
+may be specified after the user argument.
+As a result, this rule will also allow:
+.Bd -literal -offset 4n
+passwd username --expire
+.Ed
+.Pp
+which may not be desirable.
 .Bd -literal
 bob		SPARC = (OP) ALL : SGI = (OP) ALL
 .Ed