Bug 234756 - security/sudo: listpw=never does not work as expected
Summary: security/sudo: listpw=never does not work as expected
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Renato Botelho
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-01-08 17:00 UTC by Victor Sudakov
Modified: 2019-01-22 13:52 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (garga)


Attachments
A complete sudoers file (776 bytes, text/plain)
2019-01-09 13:49 UTC, Victor Sudakov
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Sudakov 2019-01-08 17:00:16 UTC
The line "Defaults listpw=never" in sudoers does not work as documented:
"sudo -l" still requires a password from the user instead of showing the permitted commands.
Comment 1 Renato Botelho freebsd_committer freebsd_triage 2019-01-08 18:50:08 UTC
Could you give me more details about how to reproduce it? I've tested here and couldn't .
Comment 2 Victor Sudakov 2019-01-09 13:49:22 UTC
Created attachment 200951 [details]
A complete sudoers file
Comment 3 Victor Sudakov 2019-01-09 13:52:28 UTC
(In reply to Renato Botelho from comment #1)
I have attached my complete sudoers file without any redacting. However when a member of the "user" group runs "sudo -l" she is asked for a password.
Comment 4 Victor Sudakov 2019-01-13 04:19:02 UTC
Have you been able to reproduce the problem with my sudoers file?

Just in case they are useful, I'm posting the build options:

Options        :
	AUDIT          : on
	DISABLE_AUTH   : off
	DISABLE_ROOT_SUDO: off
	DOCS           : on
	EXAMPLES       : on
	GSSAPI_BASE    : off
	GSSAPI_HEIMDAL : off
	GSSAPI_MIT     : off
	INSULTS        : off
	LDAP           : off
	NLS            : off
	NOARGS_SHELL   : off
	OPIE           : off
	PAM            : on
	SSSD           : off
Comment 5 Victor Sudakov 2019-01-20 13:45:49 UTC
ping!
Comment 6 Renato Botelho freebsd_committer freebsd_triage 2019-01-22 10:43:08 UTC
I managed to reproduce the issue here and opened a ticket upstream [1]. While it's not fixed you can workaround it using listpw=any and configuring an entry allowing %user to run /usr/bin/false with NOPASSWD: set

[1] https://bugzilla.sudo.ws/show_bug.cgi?id=869
Comment 7 commit-hook freebsd_committer freebsd_triage 2019-01-22 13:51:36 UTC
A commit references this bug:

Author: garga
Date: Tue Jan 22 13:51:16 UTC 2019
New revision: 490951
URL: https://svnweb.freebsd.org/changeset/ports/490951

Log:
  security/sudo: Fix listpw=never

  When listpw=never is set, 'sudo -l' is expected to run without asking for a
  password.

  PR:		234756
  Reported by:	vas@mpeks.tomsk.su
  Obtained from:	https://bugzilla.sudo.ws/show_bug.cgi?id=869
  Sponsored by:	Rubicon Communications, LLC (Netgate)

Changes:
  head/security/sudo/Makefile
  head/security/sudo/files/patch-plugins_sudoers_parse.c
Comment 8 Renato Botelho freebsd_committer freebsd_triage 2019-01-22 13:52:17 UTC
Fix committed to 1.8.27_1