Package: sudo
Version: 1.6.9p17-2
Severity: grave
Tags: security
Justification: user security hole
My understanding is that permission to sudoedit is granted by a line in
the sudoer file like this:
user1 ALL = sudoedit /etc/network/interfaces
This works as expected (because the string sudoedit is a special case), eg
us...@host1:~$ sudoedit /etc/network/interfaces
However, it also appears to grant access to sudo any executable called
'sudoedit' (if the appropriate parameters are passed in). For example, a
user executable in the home directory called sudoedit:
#!/bin/sh
whoami
can be invoked (and reports 'root') using
us...@host1:~$ sudo ./sudoedit /etc/network/interfaces
I had expected (because sudoedit is a special case string) that it should
not match anything apart from invoking /usr/bin/sudoedit.
This problem was encountered with build 1.6.9p17 of sudo on a Debian Lenny
system. The issue was pointed out by 'slouching' on linuxquestions.org.
He also reported that this problem did not occur on an earlier version
sudo-1.6.8p12-12.el5.
-- System Information:
Debian Release: 5.0.4
APT prefers stable
APT policy: (990, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.30-bpo.1-686 (SMP w/1 CPU core)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=ANSI_X3.4-1968)
(ignored: LC_ALL set to C)
Shell: /bin/sh linked to /bin/bash
Versions of packages sudo depends on:
ii libc6 2.7-18lenny2 GNU C Library: Shared
libraries
ii libpam-modules 1.0.1-5+lenny1 Pluggable Authentication
Modules f
ii libpam0g 1.0.1-5+lenny1 Pluggable Authentication
Modules l
sudo recommends no packages.
sudo suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
