blob: bef55da203c2c9ee2a83b2b3f1fbcbde8a03200f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
#!/bin/sh
#
# Test user-specified chroot handling
#
: ${TESTSUDOERS=testsudoers}
exec 2>&1
cd /
retval=0
printf "A simple sudoers rule should not allow the user to chroot:\n"
$TESTSUDOERS -R / root /bin/ls <<'EOF'
root ALL = /bin/ls
EOF
if [ $? -eq 0 ]; then
retval=1
fi
# Because command_matches() uses the per-rule CHROOT, this results in
# an unmatched rule instead of a matched rule that is rejected later.
# This is different from the CWD checking which is performed after
# matching is done.
printf "\nUser cannot override the sudoers chroot:\n"
$TESTSUDOERS -R / root /bin/ls <<'EOF'
root ALL = CHROOT=/some/where/else /bin/ls
EOF
if [ $? -eq 0 ]; then
retval=1
fi
printf "\nUser can chroot if sudoers rule sets chroot to '*':\n"
$TESTSUDOERS -R /usr root /bin/ls <<'EOF'
root ALL = CHROOT=* /bin/ls
EOF
if [ $? -ne 0 ]; then
retval=$?
fi
printf "\nUser can chroot if runchroot Defaults is '*':\n"
$TESTSUDOERS -R /usr root /bin/ls <<'EOF'
Defaults runchroot = "*"
root ALL = /bin/ls
EOF
if [ $? -ne 0 ]; then
retval=$?
fi
exit $retval
|
