Runsisi's Blog
不念过去 不畏将来
换行符引发的 sudo 故障

调试日志

# vi /etc/sudo.conf
Debug sudo /var/log/sudo_debug.log all@debug
Debug sudoers.so /var/log/sudo_debug.log all@debug
# tailf /var/log/sudo_debug.log
Dec 10 21:10:16 sudo[3697781] -> sudo_check_suid @ ./sudo.c:866
Dec 10 21:10:16 sudo[3697781] <- sudo_check_suid @ ./sudo.c:910
Dec 10 21:10:16 sudo[3697781] -> save_signals @ ./signal.c:79
Dec 10 21:10:16 sudo[3697781] <- save_signals @ ./signal.c:86
Dec 10 21:10:16 sudo[3697781] -> init_signals @ ./signal.c:125
Dec 10 21:10:16 sudo[3697781] will restore signal 13 on exec
Dec 10 21:10:16 sudo[3697781] <- init_signals @ ./signal.c:160
Dec 10 21:10:16 sudo[3697781] -> sudo_conf_read_v1 @ ./sudo_conf.c:546
Dec 10 21:10:16 sudo[3697810] -> cmnd_matches @ ./match.c:374
Dec 10 21:10:16 sudo[3697810] -> command_matches @ ./match.c:432
Dec 10 21:10:16 sudo[3697810] -> command_matches_normal @ ./match.c:841
Dec 10 21:10:16 sudo[3697810] <- command_matches_normal @ ./match.c:854 := false
": false @ command_matches() ./match.c:472 "/usr/bin/x" matches sudoers command "/usr/bin/x
Dec 10 21:10:16 sudo[3697810] <- command_matches @ ./match.c:473 := false
Dec 10 21:10:16 sudo[3697810] <- cmnd_matches @ ./match.c:394 := -1
Dec 10 21:16:46 sudo[3754730] -> cmnd_matches @ ./match.c:374
Dec 10 21:16:46 sudo[3754730] -> command_matches @ ./match.c:432
Dec 10 21:16:46 sudo[3754730] -> command_matches_normal @ ./match.c:841
Dec 10 21:16:46 sudo[3754730] -> open_cmnd @ ./match.c:515
Dec 10 21:16:46 sudo[3754730] <- open_cmnd @ ./match.c:519 := true
Dec 10 21:16:46 sudo[3754730] -> do_stat @ ./match.c:483
Dec 10 21:16:46 sudo[3754730] <- do_stat @ ./match.c:487 := true
Dec 10 21:16:46 sudo[3754730] -> command_args_match @ ./match.c:401
Dec 10 21:16:46 sudo[3754730] <- command_args_match @ ./match.c:409 := true
Dec 10 21:16:46 sudo[3754730] -> set_cmnd_fd @ ./match.c:541
Dec 10 21:16:46 sudo[3754730] <- set_cmnd_fd @ ./match.c:575
Dec 10 21:16:46 sudo[3754730] <- command_matches_normal @ ./match.c:885 := true
Dec 10 21:16:46 sudo[3754730] user command "/usr/bin/x" matches sudoers command "/usr/bin/x": true @ command_matches() ./match.c:472
Dec 10 21:16:46 sudo[3754730] <- command_matches @ ./match.c:473 := true
Dec 10 21:16:46 sudo[3754730] <- cmnd_matches @ ./match.c:394 := 1

sudoer 文件

# file /etc/sudoers.d/user1-bad
/etc/sudoers.d/user1-bad: ASCII text, with CRLF line terminators
# file /etc/sudoers.d/user1-good
/etc/sudoers.d/user1-good: ASCII text
# visudo -f /etc/sudoers.d/user1-bad
"/etc/sudoers.d/user1-bad.tmp" [dos] 11L, 544C
:set ff=unix
:wq
"user1-bad.tmp" 11L, 533C written
# file /etc/sudoers.d/user1-bad
/etc/sudoers.d/user1-bad: ASCII text
# visudo -f /etc/sudoers.d/user1-good
"/etc/sudoers.d/user1-good.tmp" 11L, 531C

源码分析

https://github.com/sudo-project/sudo.git

tag SUDO_1_8_23

// plugins/sudoers/match.c

cmnd_matches
  command_matches
    command_matches_normal
      strcmp(user_base, base)

最后修改于 2020-12-20