Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenDoas keeps current PATH variable #45

Closed
ivan3182 opened this issue Jan 28, 2021 · 4 comments
Closed

OpenDoas keeps current PATH variable #45

ivan3182 opened this issue Jan 28, 2021 · 4 comments

Comments

@ivan3182
Copy link

ivan3182 commented Jan 28, 2021

OpenDoas version: 6.8
System: Gentoo, Debian 10
/etc/doas.conf content: permit :wheel

man doas says that variable PATH is set to value appropriate for the target user, but current value preserves:

user@gentoo /etc
> $ env | grep ^PATH
PATH=/home/user/.local/bin:/home/user/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/lib/llvm/10/bin

user@gentoo /etc
> $ doas env | grep ^PATH
doas (user@gentoo) password:
PATH=/home/user/.local/bin:/home/user/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/lib/llvm/10/bin

expected value:

user@gentoo /etc
> $ su -l
Password:
gentoo ~ # env | grep ^PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/lib/llvm/10/bin
@Duncaen
Copy link
Owner

Duncaen commented Jan 28, 2021

Thanks for the report, this is indeed a bug and this not matching the documentation I consider it a security issue and have requested a CVE for it (CVE-2019-25016), this used to be the default behavior but should have been correctly changed in 2019.

One nuance about this is that the users PATH will be used when executing the first command if the rule allows any command,
so with the rule permit :wheel, PATH=~/bin doas foo will execute foo from ~/bin.
If the rule limits the execution to a specific command then the "safe" PATH is used, permit :wheel cmd foo would not execute ~/bin/foo (in this case the reset the PATH variable was already correct before this fix).

This means before the fix, users who only had access to execute a specific command were not able to execute other command through a "unsafe" PATH.

Users who were allowed to execute anything could change PATH to execute more things from PATH.

This has been fixed in d5acd52.

@Duncaen
Copy link
Owner

Duncaen commented Jan 28, 2021

If you want to be credited in the CVE as Discoverer, please tell me a name and I will request an update for the CVE.

@ivan3182
Copy link
Author

After the fix (OpenDoas 6.8.1) it is possible to execute script from ~/.local/bin even though it is not in path
Is this intentional?

user@gentoo ~
> $ cat /etc/doas.conf
permit :wheel

user@gentoo ~
> $ cat /home/user/.local/bin/check-doas.sh
#!/bin/bash

whoami
echo "${PATH}"

user@gentoo ~
> $ check-doas.sh
user
/home/user/.local/bin:/home/user/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/lib/llvm/10/bin

user@gentoo ~
> $ doas env | grep ^PATH
doas (user@gentoo) password: 
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

user@gentoo ~
> $ doas check-doas.sh
doas (user@gentoo) password: 
root
/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

on OpenBSD it says doas: check-doas.sh: command not found

@Duncaen
Copy link
Owner

Duncaen commented Jan 29, 2021

Yes that is how it works for rules that allow a user to execute any command (permit :wheel), in this case the executing users PATH is used.
For rules that allow to execute only specific commands (permit :wheel cmd check-doas.sh), the default path is used.

This is exactly how it works in the original doas and also in sudo.

on OpenBSD it says doas: check-doas.sh: command not found

Then you did not add ~/.local/bin to your PATH.

@Duncaen Duncaen closed this as completed May 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants