Public bug reported: When mistakenly used in the argument list it can expand to protected content, such as /etc/shadow. Most users do not expect this.
The following example will permit 'username' to read /etc/shadow as the * character accepts any character and spaces. username ALL=(ALL) /bin/cat /var/log/messages* The patch adds the following style of argument matching that can restrict the sudoers arguments to regex, thus allowing for additional common logrotate suffixes. username ALL = (ALL) /bin/cat m{/var/log/messages(\.[0-9]+|-[0-9]+)?$} This improves the security stance of sudoers entries through tight regex matches which most administrators are familiar with. Changes are in <https://github.com/edneville/sudo>, viewable as <https://github.com/sudo-project/sudo/compare/master...edneville:master> ** Affects: sudo (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1853895 Title: Entries in sudoers files that include * do not behave like shell globs Status in sudo package in Ubuntu: New Bug description: When mistakenly used in the argument list it can expand to protected content, such as /etc/shadow. Most users do not expect this. The following example will permit 'username' to read /etc/shadow as the * character accepts any character and spaces. username ALL=(ALL) /bin/cat /var/log/messages* The patch adds the following style of argument matching that can restrict the sudoers arguments to regex, thus allowing for additional common logrotate suffixes. username ALL = (ALL) /bin/cat m{/var/log/messages(\.[0-9]+|-[0-9]+)?$} This improves the security stance of sudoers entries through tight regex matches which most administrators are familiar with. Changes are in <https://github.com/edneville/sudo>, viewable as <https://github.com/sudo- project/sudo/compare/master...edneville:master> To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1853895/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp