From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Thu, 9 Aug 2012 15:36:25 +0000 (-0400)
Subject: Add a note about wildcards matching multiple words and include an
X-Git-Tag: SUDO_1_8_6^2~53
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=507df9d5c13658db7b282a06520ebb55bdf8e321;p=sudo

Add a note about wildcards matching multiple words and include an
example.  Also mention that for sudoedit, a wildcard in command
line args does not match a slash.
---

diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index b1bf7b0b6..708591fb3 100644
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -560,19 +560,43 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
      Would match any file name beginning with a letter.
 
      Note that a forward slash (`/') will nnoott be matched by wildcards used in
-     the path name.  When matching the command line arguments, however, a
-     slash ddooeess get matched by wildcards.  This is to make a path like:
+     the path name.  This is to make a path like:
 
          /usr/bin/*
 
      match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m.
 
+     When matching the command line arguments, however, a slash ddooeess get
+     matched by wildcards since command line arguments may contain arbitrary
+     strings and not just pathnames.
+
+     Wildcards in command line arguments should be used with care.  Because
+     command line arguments are matched as a single, concatenated string, a
+     wildcard such as `?' or `*' can match multiple words.  For example, while
+     a sudoers entry like:
+
+         %operator ALL = /bin/cat /var/log/messages*
+
+     will allow command like:
+
+         $ sudo cat /var/log/messages.1
+
+     It will also allow:
+
+         $ sudo cat /var/log/messages /etc/shadow
+
+     which is probaby not what was intended.
+
    EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess
      The following exceptions apply to the above rules:
 
-     ""    If the empty string "" is the only command line argument in the
-           _s_u_d_o_e_r_s entry it means that command is not allowed to be run with
-           aannyy arguments.
+     ""        If the empty string "" is the only command line argument in the
+               _s_u_d_o_e_r_s entry it means that command is not allowed to be run
+               with aannyy arguments.
+
+     sudoedit  Command line arguments to the _s_u_d_o_e_d_i_t built-in command should
+               always be pathnames, so a forward slash (`/') will not be
+               matched by a wildcard.
 
    IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss
      It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s
@@ -1827,7 +1851,7 @@ SSEECCUURRIITTYY NNOOTTEESS
      on this feature as it is not universally available.
 
 SSEEEE AALLSSOO
-     rsh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3),
+     ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3),
      sudoers.ldap(4), sudo_plugin(1m), sudo(1m), visudo(1m)
 
 CCAAVVEEAATTSS
diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index a71074677..4c0ec01e6 100644
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -1248,10 +1248,6 @@ will
 \fBnot\fR
 be matched by
 wildcards used in the path name.
-When matching the command line arguments, however, a slash
-\fBdoes\fR
-get matched by
-wildcards.
 This is to make a path like:
 .nf
 .sp
@@ -1264,9 +1260,47 @@ match
 \fI/usr/bin/who\fR
 but not
 \fI/usr/bin/X11/xterm\fR.
+.PP
+When matching the command line arguments, however, a slash
+\fBdoes\fR
+get matched by wildcards since command line arguments may contain
+arbitrary strings and not just pathnames.
+.PP
+Wildcards in command line arguments should be used with care.
+Because command line arguments are matched as a single, concatenated
+string, a wildcard such as
+`\&?'
+or
+`*'
+can match multiple words.
+For example, while a sudoers entry like:
+.nf
+.sp
+.RS 4n
+%operator ALL = /bin/cat /var/log/messages*
+.RE
+.fi
+.PP
+will allow command like:
+.nf
+.sp
+.RS 4n
+$ sudo cat /var/log/messages.1
+.RE
+.fi
+.PP
+It will also allow:
+.nf
+.sp
+.RS 4n
+$ sudo cat /var/log/messages /etc/shadow
+.RE
+.fi
+.PP
+which is probaby not what was intended.
 .SS "Exceptions to wildcard rules"
 The following exceptions apply to the above rules:
-.TP 6n
+.TP 10n
 \fR\&""\fR
 If the empty string
 \fR\&""\fR
@@ -1275,6 +1309,13 @@ is the only command line argument in the
 entry it means that command is not allowed to be run with
 \fBany\fR
 arguments.
+.TP 10n
+sudoedit
+Command line arguments to the
+\fIsudoedit\fR
+built-in command should always be pathnames, so a forward slash
+(`/')
+will not be matched by a wildcard.
 .SS "Including other files from within sudoers"
 It is possible to include other
 \fIsudoers\fR
@@ -3801,7 +3842,7 @@ ignore it.
 Administrators should not rely on this feature as it is not universally
 available.
 .SH "SEE ALSO"
-rsh(1),
+ssh(1),
 su(1),
 fnmatch(3),
 glob(3),
diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index ddef0f0f3..1fd692a17 100644
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -1175,10 +1175,6 @@ will
 .Sy not
 be matched by
 wildcards used in the path name.
-When matching the command line arguments, however, a slash
-.Sy does
-get matched by
-wildcards.
 This is to make a path like:
 .Bd -literal -offset 4n
 /usr/bin/*
@@ -1188,9 +1184,38 @@ match
 .Pa /usr/bin/who
 but not
 .Pa /usr/bin/X11/xterm .
+.Pp
+When matching the command line arguments, however, a slash
+.Sy does
+get matched by wildcards since command line arguments may contain
+arbitrary strings and not just pathnames.
+.Pp
+Wildcards in command line arguments should be used with care.
+Because command line arguments are matched as a single, concatenated
+string, a wildcard such as
+.Ql \&?
+or
+.Ql *
+can match multiple words.
+For example, while a sudoers entry like:
+.Bd -literal -offset 4n
+%operator ALL = /bin/cat /var/log/messages*
+.Ed
+.Pp
+will allow command like:
+.Bd -literal -offset 4n
+$ sudo cat /var/log/messages.1
+.Ed
+.Pp
+It will also allow:
+.Bd -literal -offset 4n
+$ sudo cat /var/log/messages /etc/shadow
+.Ed
+.Pp
+which is probaby not what was intended.
 .Ss Exceptions to wildcard rules
 The following exceptions apply to the above rules:
-.Bl -tag -width 4n
+.Bl -tag -width 8n
 .It Li \&""
 If the empty string
 .Li \&""
@@ -1199,6 +1224,12 @@ is the only command line argument in the
 entry it means that command is not allowed to be run with
 .Sy any
 arguments.
+.It sudoedit
+Command line arguments to the
+.Em sudoedit
+built-in command should always be pathnames, so a forward slash
+.Pq Ql /
+will not be matched by a wildcard.
 .El
 .Ss Including other files from within sudoers
 It is possible to include other
@@ -3513,7 +3544,7 @@ ignore it.
 Administrators should not rely on this feature as it is not universally
 available.
 .Sh SEE ALSO
-.Xr rsh 1 ,
+.Xr ssh 1 ,
 .Xr su 1 ,
 .Xr fnmatch 3 ,
 .Xr glob 3 ,