Skip to content

Commit 19fef9b

Browse files
millertmillert
committed
Add test for only changing the group (not the user).
A sudoers entry with a Runas_Spec that allows a command to be run as a group should also grant permission to run the command as the invoking user with only the group changed.
1 parent 12724d1 commit 19fef9b

File tree

3 files changed

+114
-0
lines changed

3 files changed

+114
-0
lines changed

MANIFEST

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1122,6 +1122,8 @@ plugins/sudoers/regress/testsudoers/test30.out.ok
11221122
plugins/sudoers/regress/testsudoers/test30.sh
11231123
plugins/sudoers/regress/testsudoers/test31.out.ok
11241124
plugins/sudoers/regress/testsudoers/test31.sh
1125+
plugins/sudoers/regress/testsudoers/test32.out.ok
1126+
plugins/sudoers/regress/testsudoers/test32.sh
11251127
plugins/sudoers/regress/testsudoers/test4.out.ok
11261128
plugins/sudoers/regress/testsudoers/test4.sh
11271129
plugins/sudoers/regress/testsudoers/test5.out.ok

plugins/sudoers/regress/testsudoers/test32.out.ok

Lines changed: 72 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
Parses OK
2+
3+
Entries for user admin:
4+
5+
ALL = (admin : staff) /bin/ls
6+
host allowed
7+
runas allowed
8+
cmnd allowed
9+
10+
Password required
11+
12+
Command allowed
13+
Parses OK
14+
15+
Entries for user admin:
16+
17+
ALL = (admin : staff) /bin/ls
18+
host allowed
19+
runas allowed
20+
cmnd allowed
21+
22+
Password required
23+
24+
Command allowed
25+
Parses OK
26+
27+
Entries for user admin:
28+
29+
ALL = (root : staff) /bin/ls
30+
host allowed
31+
runas allowed
32+
cmnd allowed
33+
34+
Password required
35+
36+
Command allowed
37+
Parses OK
38+
39+
Entries for user admin:
40+
41+
ALL = (admin : staff) /bin/ls
42+
host allowed
43+
runas allowed
44+
cmnd allowed
45+
46+
Password required
47+
48+
Command allowed
49+
Parses OK
50+
51+
Entries for user admin:
52+
53+
ALL = (admin : staff) /bin/ls
54+
host allowed
55+
runas allowed
56+
cmnd allowed
57+
58+
Password required
59+
60+
Command allowed
61+
Parses OK
62+
63+
Entries for user admin:
64+
65+
ALL = (root : staff) /bin/ls
66+
host allowed
67+
runas allowed
68+
cmnd allowed
69+
70+
Password required
71+
72+
Command allowed

plugins/sudoers/regress/testsudoers/test32.sh

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
#!/bin/sh
2+
#
3+
# Verify that a user is allowed to run commands with only the group changed.
4+
#
5+
6+
: ${TESTSUDOERS=testsudoers}
7+
8+
exec 2>&1
9+
10+
$TESTSUDOERS -u admin -g staff -p ${TESTDIR}/passwd -P ${TESTDIR}/group \
11+
admin /bin/ls <<'EOF'
12+
admin ALL = (admin:staff) /bin/ls
13+
EOF
14+
15+
$TESTSUDOERS -u admin -g staff -p ${TESTDIR}/passwd -P ${TESTDIR}/group \
16+
admin /bin/ls <<'EOF'
17+
admin ALL = (:staff) /bin/ls
18+
EOF
19+
20+
$TESTSUDOERS -u admin -g staff -p ${TESTDIR}/passwd -P ${TESTDIR}/group \
21+
admin /bin/ls <<'EOF'
22+
admin ALL = (root:staff) /bin/ls
23+
EOF
24+
25+
$TESTSUDOERS -g staff -p ${TESTDIR}/passwd -P ${TESTDIR}/group \
26+
admin /bin/ls <<'EOF'
27+
admin ALL = (admin:staff) /bin/ls
28+
EOF
29+
30+
$TESTSUDOERS -g staff -p ${TESTDIR}/passwd -P ${TESTDIR}/group \
31+
admin /bin/ls <<'EOF'
32+
admin ALL = (:staff) /bin/ls
33+
EOF
34+
35+
$TESTSUDOERS -g staff -p ${TESTDIR}/passwd -P ${TESTDIR}/group \
36+
admin /bin/ls <<'EOF'
37+
admin ALL = (root:staff) /bin/ls
38+
EOF
39+
40+
exit 0

0 commit comments

Comments
 (0)