add test that root can bypass security measures

squell · squell · commit c8d95003a987 · 2025-07-23T18:15:21.000+02:00
diff --git a/src/system/audit.rs b/src/system/audit.rs
@@ -10,7 +10,9 @@ use std::os::unix::{
 };
 use std::path::{Component, Path};
 
-use super::{cerr, inject_group, set_supplementary_groups, Group, GroupId, User, UserId};
+use super::{
+    cerr, inject_group, interface::UnixUser, set_supplementary_groups, Group, GroupId, User, UserId,
+};
 use crate::common::resolve::CurrentUser;
 
 /// Temporary change privileges --- essentially a 'mini sudo'
@@ -109,6 +111,7 @@ pub fn secure_open_cookie_file(path: impl AsRef<Path>) -> io::Result<File> {
         .read(true)
         .write(true)
         .create(true)
+        .truncate(false)
         .mode(mode(Category::Owner, Op::Write) | mode(Category::Owner, Op::Read));
 
     secure_open_impl(path.as_ref(), &mut open_options, true, true)
@@ -214,7 +217,16 @@ pub fn secure_open_for_sudoedit(
     target_group: &Group,
 ) -> io::Result<File> {
     sudo_call(target_user, target_group, || {
-        traversed_secure_open(path, current_user)
+        if current_user.is_root() {
+            OpenOptions::new()
+                .read(true)
+                .write(true)
+                .create(true)
+                .truncate(false)
+                .open(path)
+        } else {
+            traversed_secure_open(path, current_user)
+        }
     })?
 }
 
diff --git a/test-framework/sudo-compliance-tests/src/sudoedit/limits.rs b/test-framework/sudo-compliance-tests/src/sudoedit/limits.rs
@@ -40,6 +40,25 @@ fn cannot_edit_writable_paths() {
     }
 }
 
+#[test]
+fn can_edit_writable_paths_as_root() {
+    // note: we already have tests that sudoedit "works" so we are skipping
+    // the content check here---the point here is that sudoedit does not stop
+    // the user.
+
+    let env = Env(SUDOERS_ALL_ALL_NOPASSWD)
+        .user(USERNAME)
+        .directory(Directory("/tmp/bar").chmod("755"))
+        .file(DEFAULT_EDITOR, TextFile(EDITOR_DUMMY).chmod(CHMOD_EXEC))
+        .build();
+
+    let file = "/tmp/foo.sh";
+    Command::new("sudoedit")
+        .arg(file)
+        .output(&env)
+        .assert_success();
+}
+
 #[test]
 fn cannot_edit_symlinks() {
     let env = Env(SUDOERS_ALL_ALL_NOPASSWD)
