sudo -l will show info for everyone with the use of any ALL flag.

Question

sudo -l will show info for everyone with the use of any ALL flag.

Closed this issue 3 years ago · 3 comments

In a scenario where you have testuserA and testuserB both in the testusers group. If you add the following line to the sudoers file both users will be able to see the output of sudo -l -U root. Currently the documentation is slightly ambiguous about whether this should be the intended behavior but we have customers that would rather it wasn't.

%testusers ALL = (testuserB) NOPASSWD: ALL

simotek commented 3 years ago

Thanks

Answer 1 · 2022-02-14T20:15:00.000Z

The behavior matches the manual but it certainly seems better to restrict this to user's with "sudo ALL" for root or the user being listed.

Answer 2 · 2022-12-07T12:28:24.000Z

Unfortunately, this change causes a segmentation fault when sssd is in use. The problem is that the code does not check whether the list of runas users is NULL and dereferences a NULL pointer.

Some distributions (like SLES12 and SLES15) have backported this change to previous versions even of the 1.8.x variety and now suffer from this problem in environments that use sssd.

I'll work on preparing a patch to fix at least the segmentation fault, but I also think that the approach is misguided anyway. It links the right to list commands with the right to run commands, which is precisely NOT what one wants. A support person may want to be able to find out whether a user could run a command without it actually being able to run it.