Giters

memorysafety / sudo-rs

A memory safe implementation of sudo and su.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

sudo: `-u longusername` fails when effective group id cannot be resolved into a group name

japaric opened this issue · comments

commented

relevant test

sudo-rs/test-framework/sudo-compliance-tests/src/sudo/misc.rs

Lines 205 to 225 in 0b9207b

fn long_username() -> Result<()> {
// `useradd` limits usernames to 32 characters
// directly write to `/etc/passwd` to work around this limitation
let username = "a".repeat(33);
let env = Env(SUDOERS_ALL_ALL_NOPASSWD).build()?;
Command::new("sh")
.arg("-c")
.arg(format!(
"echo {username}:x:1000:1000::/tmp:/bin/sh >> /etc/passwd"
))
.output(&env)?
.assert_success()?;
Command::new("sudo")
.arg("-u")
.arg(username)
.arg("true")
.output(&env)?
.assert_success()
}

useradd does not work with usernames with usernames longer than 32 characters. this issue is only observed with usernames longer than 32 characters. when editing /etc/passwd (instead of useradd) is used to create the user

commented

the above test does not update /etc/groups, i.e. it does not assign a primary group to the new user. this makes the groups command fail:

root@a22ac8003931:/tmp# groups aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa : groups: cannot find name for group ID 1001
1001
root@a22ac8003931:/tmp# echo $?
1

I think sudo-rs is failing because it's trying to resolve the group ID into a group name whereas ogsudo is not while still being able to execute the complete pipeline.