I'm a little surprised this got a CVE number to be honest; allowing users to edit files via some privileged mechanism when they may control some portion of the filesystem under consideration is always going to be dangerous.
sudo cannot actually prevent this -- for example, the patch for this issue http://www.sudo.ws/repos/sudo/rev/9636fd256325 (look for the sudo_edit.c hunk) just uses O_NOFOLLOW to try to mitigate this issue: +#ifdef O_NOFOLLOW +static int +sudo_edit_open(const char *path, int oflags, mode_t mode, int sflags) +{ + if (!ISSET(sflags, CD_SUDOEDIT_FOLLOW)) + oflags |= O_NOFOLLOW; + return open(path, oflags, mode); +} +#else But O_NOFOLLOW only functions on the final component of a pathname, so you can still edit e.g. /etc/shadow if you create a symlink "ln -s /etc etc". I'm pretty sure the sudo patch is more or less worthless; here's a far simpler program to test with: | #include <sys/types.h> | #include <sys/stat.h> | #include <fcntl.h> | #include <stdio.h> | | int main(int argc, char* argv[]) { | int fd; | int err = 0; | int i; | | for (i=0; i<argc; i++) { | fd = open(argv[i], O_RDONLY | O_NOFOLLOW); | if (fd < 0) { | fprintf(stderr, "open %s failed: %m\n", argv[i]); | err++; | } else { | close(fd); | } | } | | return err; | } (Sorry for the pipes, launchpad collapsed all the spacing, making it illegible.) $ make o_nofollow cc o_nofollow.c -o o_nofollow $ mkdir tests $ cd tests $ ln -s /etc etc $ ln -s /etc/passwd passwd $ ln -s /etc/shadow shadow $ ../o_nofollow /etc/passwd /etc/shadow ./etc/passwd ./etc/shadow ./passwd ./shadow open /etc/shadow failed: Permission denied open ./etc/shadow failed: Permission denied open ./passwd failed: Too many levels of symbolic links open ./shadow failed: Too many levels of symbolic links $ Note that opening ./etc/passwd succeeded here because ./etc is a symlink to /etc and O_NOFOLLOW does not prevent this. The #else portion of the code may be fine, I haven't studied it extensively, so there may be some way to salvage the patch. But I suspect it's never going to be perfect. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/1512781 Title: CVE-2015-5602 - Unauthorized Privilege Escalation Status in sudo package in Ubuntu: Confirmed Status in sudo source package in Precise: Confirmed Status in sudo source package in Trusty: Confirmed Status in sudo source package in Vivid: Confirmed Status in sudo source package in Wily: Confirmed Status in sudo source package in Xenial: Confirmed Bug description: https://www.exploit-db.com/exploits/37710/ As descpribed in the link above, sudo versions lower or equal than 1.8.14 have a security issue: user with root access to a path with more than one wildcard can access forbidden files such as /etc/shadow, because sudoedit (sudo -e) does not verifiy full path of accessed file: (quote from link above) It seems that sudoedit does not check the full path if a wildcard is used twice (e.g. /home/*/*/file.txt), allowing a malicious user to replace the file.txt real file with a symbolic link to a different location (e.g. /etc/shadow). As an expample, 1. Give user `usr' right to edit some his files: usr ALL=(root) NOPASSWD: sudoedit /home/*/*/test.txt 2. Under usr, create ~/temp directory, and then create a symblink ~/temp/test.txt to /etc/shadow 3. Perform sudoedit ~/temp/test.txt - you will able to access /etc/shadow. What realease is affected: tested on all supported now Ubuntu versions. For personaly me, it's 14.04 LTS. What version is affected: as mentioned, all versions <=1.8.14. For personally me, it's 1.8.9p5 What was expected and happend instead: sudoedit should check full real path, but it didn't. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1512781/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp