New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenDoas keeps current PATH variable #45
Comments
|
Thanks for the report, this is indeed a bug and this not matching the documentation I consider it a security issue and have requested a CVE for it (CVE-2019-25016), this used to be the default behavior but should have been correctly changed in 2019. One nuance about this is that the users This means before the fix, users who only had access to execute a specific command were not able to execute other command through a "unsafe" PATH. Users who were allowed to execute anything could change PATH to execute more things from PATH. This has been fixed in d5acd52. |
|
If you want to be credited in the CVE as Discoverer, please tell me a name and I will request an update for the CVE. |
|
After the fix (OpenDoas 6.8.1) it is possible to execute script from on OpenBSD it says |
|
Yes that is how it works for rules that allow a user to execute any command ( This is exactly how it works in the original doas and also in sudo.
Then you did not add |
OpenDoas version: 6.8
System: Gentoo, Debian 10
/etc/doas.conf content:
permit :wheelman doas says that variable PATH is set to value appropriate for the target user, but current value preserves:
expected value:
The text was updated successfully, but these errors were encountered: