given a group-allowed command in sudoers, sudo allows escalating to the rlimit privileges of an arbitrary login class by authenticating to a group that the dude is part of.
/etc/sudoers: andres ALL=(andres:andres) /bin/sh -c ulimit\ -a Never in the life should this happen: $ id uid=1000(andres) gid=1000(andres) groups=1000(andres) $ ulimit -a time(cpu-seconds) unlimited file(blocks) unlimited coredump(blocks) unlimited data(kbytes) 524288 stack(kbytes) 4096 lockedmem(kbytes) 2668116 memory(kbytes) 7984972 nofiles(descriptors) 512 processes 128 $ s -gandres -cdaemon sh -c ulimit\ -a time(cpu-seconds) unlimited file(blocks) unlimited coredump(blocks) unlimited data(kbytes) 8388608 stack(kbytes) 8192 lockedmem(kbytes) 2668116 memory(kbytes) 7984972 nofiles(descriptors) 128 processes 1310 The finding and fixing of this bug was sponsored by the retarded people that participated in this thread: http://marc.info/?t=133293504200001&r=1&w=1 diff --git a/usr.bin/sudo/sudo.c b/usr.bin/sudo/sudo.c index 6faf87d..eaa8bc5 100644 --- a/usr.bin/sudo/sudo.c +++ b/usr.bin/sudo/sudo.c @@ -1214,8 +1214,7 @@ set_loginclass(pw) if (login_class && strcmp(login_class, "-") != 0) { if (user_uid != 0 && - ((!runas_user && runas_group) || - (strcmp(runas_user ? runas_user : def_runas_default, "root") != 0))) + strcmp(runas_user ? runas_user : def_runas_default, "root") != 0) errorx(1, "only root can use -c %s", login_class); } else { login_class = pw->pw_class;
