command_matches_fnmatch: use canonicalized path if user path contains ".."

millert · millert · commit 8443ab434e20 · 2026-04-23T07:22:39.000-06:00
We already fall back on the canonicalized path if the user-specified
path is relative.  The FNM_PATHNAME flag is already used, which
means a '/' in the user-specified command must match a '/' in the
sudoers pattern.  However, there is still the potential for unintended
matches given a user-specified command path that contains "..".

For example, given a sudoers rule like:

    user ALL = /usr/*/bin/*

The user would also be able to run "/bin/sh" as "sudo /usr/../bin/sh"
which is probably not what was intended.
diff --git a/plugins/sudoers/match_command.c b/plugins/sudoers/match_command.c
@@ -418,7 +418,8 @@ command_matches_fnmatch(struct sudoers_context *ctx, const char *sudoers_cmnd,
      * We do not attempt to match a relative path unless there is a
      * canonicalized version.
      */
-    if (cmnd[0] != '/' || fnmatch(sudoers_cmnd, cmnd, FNM_PATHNAME) != 0) {
+    if (cmnd[0] != '/' || sudo_contains_dot_dot(cmnd) ||
+	    fnmatch(sudoers_cmnd, cmnd, FNM_PATHNAME) != 0) {
 	/* No match, retry using the canonicalized path (if possible). */
 	if (ctx->user.cmnd_dir == NULL)
 	    debug_return_int(DENY);
