diff --git a/src/common/command.rs b/src/common/command.rs index 14b0ab96c..2870972bc 100644 --- a/src/common/command.rs +++ b/src/common/command.rs @@ -77,13 +77,13 @@ impl CommandAndArguments { None => resolved = false, } } + } - // resolve symlinks, even if the command was obtained through a PATH or SHELL - // once again, failure to canonicalize should not stop the pipeline - match canonicalize(&command) { - Ok(canon_path) => command = canon_path, - Err(_) => resolved = false, - } + // resolve symlinks, even if the command was obtained through a PATH or SHELL + // once again, failure to canonicalize should not stop the pipeline + match canonicalize(&command) { + Ok(canon_path) => command = canon_path, + Err(_) => resolved = false, } CommandAndArguments { @@ -168,7 +168,7 @@ mod test { CommandAndArguments { command: "shell".into(), arguments: vec!["-c".into(), "ls hello".into()], - resolved: true, + resolved: false, arg0: None, } ); diff --git a/test-framework/sudo-compliance-tests/src/sudo/flag_shell.rs b/test-framework/sudo-compliance-tests/src/sudo/flag_shell.rs index 1ceea9b51..5dcb745dd 100644 --- a/test-framework/sudo-compliance-tests/src/sudo/flag_shell.rs +++ b/test-framework/sudo-compliance-tests/src/sudo/flag_shell.rs @@ -67,6 +67,21 @@ echo $0"; Ok(()) } +#[test] +fn shell_is_canonicalized() -> Result<()> { + let shell_path = "/bin/bash"; + let env = Env("ALL ALL=(ALL:ALL) NOPASSWD: /usr/bin/bash") + .build()?; + + Command::new("env") + .arg(format!("SHELL={shell_path}")) + .args(["sudo", "-s", "true"]) + .output(&env)? + .stdout()?; + + Ok(()) +} + #[test] fn argument_is_invoked_with_dash_c_flag() -> Result<()> { let shell_path = "/root/my-shell";