Sudo on Solaris since 1.9.14p2 does not support PRIVS

Question

Sudo on Solaris since 1.9.14p2 does not support PRIVS

vlmarek opened this issue 7 months ago · 3 comments

Before https://github.com/sudo-project/sudo/commit/db704c22ec248c871907cfd966091a28332e1d0f.patch This works:

$ useradd -b /var/tmp -m -s /bin/bash luser

/etc/sudoers:
luser ALL = () PRIVS="basic,dtrace_kernel,dtrace_proc,dtrace_user" NOPASSWD: /usr/sbin/dtrace, /usr/bin/bash

$ sudo -u luser sudo bash -c 'id; ppriv $$'
uid=100(luser) gid=10(staff)
17186:  ppriv 17186
flags = <none>
        E: basic,dtrace_kernel,dtrace_proc,dtrace_user
        I: basic,dtrace_kernel,dtrace_proc,dtrace_user
        P: basic,dtrace_kernel,dtrace_proc,dtrace_user
        L: basic,dtrace_kernel,dtrace_proc,dtrace_user

With the change noted above:

$ sudo -u luser sudo bash -c 'id; ppriv $$'
Password:
sudo: a password is required

And neither works

$ sudo su - luser
$ sudo ppriv $$
Password: 
sudo: a password is required

I have to say I don't understand the code yet, but maybe it is something "obvious" for you?

Thank you
__
Vlad

Answer 1 · 2023-12-11T20:38:57.000Z

Sorry, but it was never intended to work that way. Since sudo runs commands by root as default, you need to explicitly specify the user to run a command as a user other than root, even the current user. The previous behavior was a bug. The correct usage would be:

$ sudo -u luser bash -c 'id; ppriv $$'

However, I just discovered a different bug introduced in sudo 1.9.15 that prevents Solaris privs from being applied. That bug is fixed by de242c5.

Answer 2 · 2023-12-12T09:35:43.000Z

Thank you for quick reply! I admit that the command line is not how someone would use sudo in real life. But if I understand correctly you say that running just sudo to get elevated (Solaris) privileges is not supported. In an example:

$ id -a
uid=100(luser) gid=10(staff) groups=10(staff)

# Here sudo does not give me privileges:
$ sudo bash -c 'id; ppriv $$'
Password: 

# But here specifying "-u luser" even though I am luser it does:
$ sudo -u luser bash -c 'id; ppriv $$'
uid=100(luser) gid=10(staff)
14538:  ppriv 14538
flags = <none>
        E: basic,dtrace_kernel,dtrace_proc,dtrace_user
        I: basic,dtrace_kernel,dtrace_proc,dtrace_user
        P: basic,dtrace_kernel,dtrace_proc,dtrace_user
        L: basic,dtrace_kernel,dtrace_proc,dtrace_user

If that is so then I misunderstood it and I am sorry about it. And this bug can be closed. Or do you say this is what the second fix you have just done is about? I will retest it.

Many thanks!
__
Vlad

Answer 3 · 2023-12-12T15:54:09.000Z

Yes, that is correct. This command:

$ sudo bash -c 'id; ppriv $$'

is equivalent to:

$ sudo -u root bash -c 'id; ppriv $$'

So you need to run

sudo -u luser bash -c 'id; ppriv $$'

even if you are already luser.