diff --git a/MANIFEST b/MANIFEST index 7ddebc33e..3a5426d12 100644 --- a/MANIFEST +++ b/MANIFEST @@ -1100,8 +1100,14 @@ plugins/sudoers/regress/testsudoers/test27.out.ok plugins/sudoers/regress/testsudoers/test27.sh plugins/sudoers/regress/testsudoers/test28.out.ok plugins/sudoers/regress/testsudoers/test28.sh +plugins/sudoers/regress/testsudoers/test29.out.ok +plugins/sudoers/regress/testsudoers/test29.sh plugins/sudoers/regress/testsudoers/test3.out.ok plugins/sudoers/regress/testsudoers/test3.sh +plugins/sudoers/regress/testsudoers/test30.out.ok +plugins/sudoers/regress/testsudoers/test30.sh +plugins/sudoers/regress/testsudoers/test31.out.ok +plugins/sudoers/regress/testsudoers/test31.sh plugins/sudoers/regress/testsudoers/test4.out.ok plugins/sudoers/regress/testsudoers/test4.sh plugins/sudoers/regress/testsudoers/test5.out.ok diff --git a/plugins/sudoers/regress/testsudoers/test29.out.ok b/plugins/sudoers/regress/testsudoers/test29.out.ok new file mode 100644 index 000000000..bf145c776 --- /dev/null +++ b/plugins/sudoers/regress/testsudoers/test29.out.ok @@ -0,0 +1,133 @@ +listpw = all, 'sudo -l' should require a password +Parses OK + +Entries for user admin: + +ALL = NOPASSWD: ALL + host allowed + runas allowed + cmnd allowed + +ALL = /usr/bin/id + host allowed + runas allowed + cmnd allowed + +Password required + +Command allowed + +listpw = all, 'sudo -l' should require a password +Parses OK + +Entries for user admin: + +ALL = /usr/bin/id + host allowed + runas allowed + cmnd allowed + +ALL = NOPASSWD: ALL + host allowed + runas allowed + cmnd allowed + +Password required + +Command allowed + +listpw = all, 'sudo -l' should not require a password +Parses OK + +Entries for user admin: + +ALL = NOPASSWD: ALL + host allowed + runas allowed + cmnd allowed + +ALL = NOPASSWD: /usr/bin/id + host allowed + runas allowed + cmnd allowed + +Command allowed + +listpw = always, 'sudo -l' should require a password +Parses OK + +Entries for user admin: + +ALL = NOPASSWD: ALL + host allowed + runas allowed + cmnd allowed + +Password required + +Command allowed + +listpw = any, 'sudo -l' should require a password +Parses OK + +Entries for user admin: + +ALL = ALL + host allowed + runas allowed + cmnd allowed + +ALL = /usr/bin/id + host allowed + runas allowed + cmnd allowed + +Password required + +Command allowed + +listpw = any, 'sudo -l' should not require a password +Parses OK + +Entries for user admin: + +ALL = ALL + host allowed + runas allowed + cmnd allowed + +ALL = NOPASSWD: /usr/bin/id + host allowed + runas allowed + cmnd allowed + +Command allowed + +listpw = any, 'sudo -l' should not require a password +Parses OK + +Entries for user admin: + +ALL = NOPASSWD: /usr/bin/id + host allowed + runas allowed + cmnd allowed + +ALL = ALL + host allowed + runas allowed + cmnd allowed + +Command allowed + +listpw = never, 'sudo -l' should not require a password +Parses OK + +Entries for user admin: + +ALL = PASSWD: /usr/bin/id + host allowed + runas allowed + cmnd allowed + +Command allowed diff --git a/plugins/sudoers/regress/testsudoers/test29.sh b/plugins/sudoers/regress/testsudoers/test29.sh new file mode 100644 index 000000000..802b81223 --- /dev/null +++ b/plugins/sudoers/regress/testsudoers/test29.sh @@ -0,0 +1,71 @@ +#!/bin/sh +# +# Exercise listpw Defaults settings. +# + +: ${TESTSUDOERS=testsudoers} + +exec 2>&1 + +status=0 + +echo "listpw = all, 'sudo -l' should require a password" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -l admin <<'EOF' +Defaults listpw = all +admin ALL = NOPASSWD: ALL +admin ALL = /usr/bin/id +EOF + +echo "" +echo "listpw = all, 'sudo -l' should require a password" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -l admin <<'EOF' +Defaults listpw = all +admin ALL = /usr/bin/id +admin ALL = NOPASSWD: ALL +EOF + +echo "" +echo "listpw = all, 'sudo -l' should not require a password" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -l admin <<'EOF' +Defaults listpw = all +admin ALL = NOPASSWD: ALL +admin ALL = NOPASSWD: /usr/bin/id +EOF + +echo "" +echo "listpw = always, 'sudo -l' should require a password" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -l admin <<'EOF' +Defaults listpw = always +admin ALL = NOPASSWD: ALL +EOF + +echo "" +echo "listpw = any, 'sudo -l' should require a password" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -l admin <<'EOF' +Defaults listpw = any +admin ALL = ALL +admin ALL = /usr/bin/id +EOF + +echo "" +echo "listpw = any, 'sudo -l' should not require a password" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -l admin <<'EOF' +Defaults listpw = any +admin ALL = ALL +admin ALL = NOPASSWD: /usr/bin/id +EOF + +echo "" +echo "listpw = any, 'sudo -l' should not require a password" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -l admin <<'EOF' +Defaults listpw = any +admin ALL = NOPASSWD: /usr/bin/id +admin ALL = ALL +EOF + +echo "" +echo "listpw = never, 'sudo -l' should not require a password" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -l admin <<'EOF' +Defaults listpw = never +admin ALL = PASSWD: /usr/bin/id +EOF diff --git a/plugins/sudoers/regress/testsudoers/test30.out.ok b/plugins/sudoers/regress/testsudoers/test30.out.ok new file mode 100644 index 000000000..576307233 --- /dev/null +++ b/plugins/sudoers/regress/testsudoers/test30.out.ok @@ -0,0 +1,133 @@ +verifypw = all, 'sudo -v' should require a password +Parses OK + +Entries for user admin: + +ALL = NOPASSWD: ALL + host allowed + runas allowed + cmnd allowed + +ALL = /usr/bin/id + host allowed + runas allowed + cmnd allowed + +Password required + +Command allowed + +verifypw = all, 'sudo -v' should require a password +Parses OK + +Entries for user admin: + +ALL = /usr/bin/id + host allowed + runas allowed + cmnd allowed + +ALL = NOPASSWD: ALL + host allowed + runas allowed + cmnd allowed + +Password required + +Command allowed + +verifypw = all, 'sudo -v' should not require a password +Parses OK + +Entries for user admin: + +ALL = NOPASSWD: ALL + host allowed + runas allowed + cmnd allowed + +ALL = NOPASSWD: /usr/bin/id + host allowed + runas allowed + cmnd allowed + +Command allowed + +verifypw = always, 'sudo -v' should require a password +Parses OK + +Entries for user admin: + +ALL = NOPASSWD: ALL + host allowed + runas allowed + cmnd allowed + +Password required + +Command allowed + +verifypw = any, 'sudo -v' should require a password +Parses OK + +Entries for user admin: + +ALL = ALL + host allowed + runas allowed + cmnd allowed + +ALL = /usr/bin/id + host allowed + runas allowed + cmnd allowed + +Password required + +Command allowed + +verifypw = any, 'sudo -v' should not require a password +Parses OK + +Entries for user admin: + +ALL = ALL + host allowed + runas allowed + cmnd allowed + +ALL = NOPASSWD: /usr/bin/id + host allowed + runas allowed + cmnd allowed + +Command allowed + +verifypw = any, 'sudo -v' should not require a password +Parses OK + +Entries for user admin: + +ALL = NOPASSWD: /usr/bin/id + host allowed + runas allowed + cmnd allowed + +ALL = ALL + host allowed + runas allowed + cmnd allowed + +Command allowed + +verifypw = never, 'sudo -v' should not require a password +Parses OK + +Entries for user admin: + +ALL = PASSWD: /usr/bin/id + host allowed + runas allowed + cmnd allowed + +Command allowed diff --git a/plugins/sudoers/regress/testsudoers/test30.sh b/plugins/sudoers/regress/testsudoers/test30.sh new file mode 100644 index 000000000..57b30aec9 --- /dev/null +++ b/plugins/sudoers/regress/testsudoers/test30.sh @@ -0,0 +1,71 @@ +#!/bin/sh +# +# Exercise verifypw Defaults settings. +# + +: ${TESTSUDOERS=testsudoers} + +exec 2>&1 + +status=0 + +echo "verifypw = all, 'sudo -v' should require a password" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -v admin <<'EOF' +Defaults verifypw = all +admin ALL = NOPASSWD: ALL +admin ALL = /usr/bin/id +EOF + +echo "" +echo "verifypw = all, 'sudo -v' should require a password" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -v admin <<'EOF' +Defaults verifypw = all +admin ALL = /usr/bin/id +admin ALL = NOPASSWD: ALL +EOF + +echo "" +echo "verifypw = all, 'sudo -v' should not require a password" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -v admin <<'EOF' +Defaults verifypw = all +admin ALL = NOPASSWD: ALL +admin ALL = NOPASSWD: /usr/bin/id +EOF + +echo "" +echo "verifypw = always, 'sudo -v' should require a password" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -v admin <<'EOF' +Defaults verifypw = always +admin ALL = NOPASSWD: ALL +EOF + +echo "" +echo "verifypw = any, 'sudo -v' should require a password" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -v admin <<'EOF' +Defaults verifypw = any +admin ALL = ALL +admin ALL = /usr/bin/id +EOF + +echo "" +echo "verifypw = any, 'sudo -v' should not require a password" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -v admin <<'EOF' +Defaults verifypw = any +admin ALL = ALL +admin ALL = NOPASSWD: /usr/bin/id +EOF + +echo "" +echo "verifypw = any, 'sudo -v' should not require a password" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -v admin <<'EOF' +Defaults verifypw = any +admin ALL = NOPASSWD: /usr/bin/id +admin ALL = ALL +EOF + +echo "" +echo "verifypw = never, 'sudo -v' should not require a password" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -v admin <<'EOF' +Defaults verifypw = never +admin ALL = PASSWD: /usr/bin/id +EOF diff --git a/plugins/sudoers/regress/testsudoers/test31.out.ok b/plugins/sudoers/regress/testsudoers/test31.out.ok new file mode 100644 index 000000000..04b2347d9 --- /dev/null +++ b/plugins/sudoers/regress/testsudoers/test31.out.ok @@ -0,0 +1,131 @@ +'sudo -U root -l' with no matching rules +Parses OK + +Entries for user admin: + +Password required + +Command denied + +'sudo -U root -l' with a matching ALL=ALL rule +Parses OK + +Entries for user admin: + +ALL = ALL + host allowed + runas allowed + cmnd allowed + +Password required + +Command allowed + +'sudo -U root -l' with a matching list rule +Parses OK + +Entries for user admin: + +ALL = NOPASSWD: list + host allowed + runas allowed + cmnd allowed + +Command allowed + +'sudo -U root -l' without a matching list rule +Parses OK + +Entries for user admin: + +ALL = (operator) list + host allowed + runas unmatched + +Password required + +Command denied + +'sudo -U root -l' with a negated list rule +Parses OK + +Entries for user admin: + +ALL = !list + host allowed + runas allowed + cmnd denied + +Password required + +Command denied + +'sudo -U root -l' with a list rule that is later negated +Parses OK + +Entries for user admin: + +ALL = NOPASSWD: list, !list + host allowed + runas allowed + cmnd allowed + runas allowed + cmnd denied + +Command denied + +'sudo -l command' with a matching command +Parses OK + +Entries for user admin: + +ALL = /bin/ls + host allowed + runas allowed + cmnd allowed + +Password required + +Command allowed + +'sudo -l command' without a matching command +Parses OK + +Entries for user admin: + +ALL = /bin/ls + host allowed + runas allowed + cmnd allowed + +Password required + +Command allowed + +'sudo -U root -l command' without list privileges +Parses OK + +Entries for user admin: + +ALL = /usr/bin/id + host allowed + runas allowed + cmnd unmatched + +Password required + +Command denied + +'sudo -U root -l command' with list privileges +Parses OK + +Entries for user admin: + +ALL = list + host allowed + runas allowed + cmnd allowed + +Password required + +Command allowed diff --git a/plugins/sudoers/regress/testsudoers/test31.sh b/plugins/sudoers/regress/testsudoers/test31.sh new file mode 100644 index 000000000..a40906dec --- /dev/null +++ b/plugins/sudoers/regress/testsudoers/test31.sh @@ -0,0 +1,71 @@ +#!/bin/sh +# +# Exercise "sudo -U user -l [command]" +# + +: ${TESTSUDOERS=testsudoers} + +exec 2>&1 + +status=0 + +echo "'sudo -U root -l' with no matching rules" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -L root admin <<'EOF' +root ALL = ALL +EOF + +echo "" +echo "'sudo -U root -l' with a matching ALL=ALL rule" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -L root admin <<'EOF' +admin ALL = ALL +EOF + +echo "" +echo "'sudo -U root -l' with a matching list rule" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -L root admin <<'EOF' +admin ALL = NOPASSWD: list +EOF + +echo "" +echo "'sudo -U root -l' without a matching list rule" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -L root admin <<'EOF' +admin ALL = (operator) list +EOF + +echo "" +echo "'sudo -U root -l' with a negated list rule" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -L root admin <<'EOF' +admin ALL = !list +EOF + +echo "" +echo "'sudo -U root -l' with a list rule that is later negated" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -L root admin <<'EOF' +admin ALL = NOPASSWD: list, !list +EOF + +echo "" +echo "'sudo -l command' with a matching command" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -l admin /bin/ls <<'EOF' +admin ALL = /bin/ls +EOF + +echo "" +echo "'sudo -l command' without a matching command" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -l admin /usr/bin/id <<'EOF' +admin ALL = /bin/ls +EOF + +echo "" +echo "'sudo -U root -l command' without list privileges" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -L root admin /bin/ls <<'EOF' +root ALL = ALL +admin ALL = /usr/bin/id +EOF + +echo "" +echo "'sudo -U root -l command' with list privileges" +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -L root admin /bin/ls <<'EOF' +root ALL = ALL +admin ALL = list +EOF