Public bug reported: Hi,
As part of the Ubuntu Core 20, if a developer creates a user named either admin or Admin, it will have root privileges by default. I think that this is a security issue but it requires input from the security engineers/specialists. Basically, if you look at the sudoers file under `/etc/sudoers`, you will realize the following line; ``` # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL ``` And if someone creates a user by using admin as name, the system provide root privilege. ``` sudo useradd -s /bin/bash -u 8003 -d /home/Admin --extrausers Admin iotuc@ubuntu:~$ su Admin Password: Admin@ubuntu:/home/iotuc$ cat /etc/sudoers cat: /etc/sudoers: Permission denied Admin@ubuntu:/home/iotuc$ sudo cat /etc/sudoers [sudo] password for Admin: # # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d Admin@ubuntu:/home/iotuc$ ``` Similarly, if I create a username called aydogar, it does not have root privilege and this is expected. ``` sudo useradd -s /bin/bash -u 8004 -d /home/aydogar --extrausers aydogar iotuc@ubuntu:~$ su aydogar Password: aydogar@ubuntu:/home/iotuc$ cat /etc/sudoers cat: /etc/sudoers: Permission denied aydogar@ubuntu:/home/iotuc$ sudo cat /etc/sudoers [sudo] password for aydogar: aydogar is not in the sudoers file. This incident will be reported. aydogar@ubuntu:/home/iotuc$ ``` I think, this is a bug but would love here other ideas and inputs. ** Affects: sudo (Ubuntu) Importance: Undecided Status: New ** Description changed: Hi, - As part of the Ubuntu Core 20.04, if a developer creates a user named + As part of the Ubuntu Core 20, if a developer creates a user named either admin or Admin, it will have root privileges by default. I think that this is a security issue but it requires input from the security engineers/specialists. Basically, if you look at the sudoers file under `/etc/sudoers`, you will realize the following line; ``` # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL ``` - And if someone creates a user by using admin as name, the system provide root privilege. - + And if someone creates a user by using admin as name, the system provide + root privilege. + ``` sudo useradd -s /bin/bash -u 8003 -d /home/Admin --extrausers Admin iotuc@ubuntu:~$ su Admin - Password: + Password: Admin@ubuntu:/home/iotuc$ cat /etc/sudoers cat: /etc/sudoers: Permission denied Admin@ubuntu:/home/iotuc$ sudo cat /etc/sudoers - [sudo] password for Admin: + [sudo] password for Admin: # # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d - Admin@ubuntu:/home/iotuc$ + Admin@ubuntu:/home/iotuc$ ``` Similarly, if I create a username called aydogar, it does not have root privilege and this is expected. ``` sudo useradd -s /bin/bash -u 8004 -d /home/aydogar --extrausers aydogar iotuc@ubuntu:~$ su aydogar - Password: + Password: aydogar@ubuntu:/home/iotuc$ cat /etc/sudoers cat: /etc/sudoers: Permission denied aydogar@ubuntu:/home/iotuc$ sudo cat /etc/sudoers - [sudo] password for aydogar: + [sudo] password for aydogar: aydogar is not in the sudoers file. This incident will be reported. - aydogar@ubuntu:/home/iotuc$ + aydogar@ubuntu:/home/iotuc$ ``` I think, this is a bug but would love here other ideas and inputs. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to sudo in Ubuntu. https://bugs.launchpad.net/bugs/2027581 Title: useradd will grand root privileges for admin user Status in sudo package in Ubuntu: New Bug description: Hi, As part of the Ubuntu Core 20, if a developer creates a user named either admin or Admin, it will have root privileges by default. I think that this is a security issue but it requires input from the security engineers/specialists. Basically, if you look at the sudoers file under `/etc/sudoers`, you will realize the following line; ``` # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL ``` And if someone creates a user by using admin as name, the system provide root privilege. ``` sudo useradd -s /bin/bash -u 8003 -d /home/Admin --extrausers Admin iotuc@ubuntu:~$ su Admin Password: Admin@ubuntu:/home/iotuc$ cat /etc/sudoers cat: /etc/sudoers: Permission denied Admin@ubuntu:/home/iotuc$ sudo cat /etc/sudoers [sudo] password for Admin: # # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL # Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "#include" directives: #includedir /etc/sudoers.d Admin@ubuntu:/home/iotuc$ ``` Similarly, if I create a username called aydogar, it does not have root privilege and this is expected. ``` sudo useradd -s /bin/bash -u 8004 -d /home/aydogar --extrausers aydogar iotuc@ubuntu:~$ su aydogar Password: aydogar@ubuntu:/home/iotuc$ cat /etc/sudoers cat: /etc/sudoers: Permission denied aydogar@ubuntu:/home/iotuc$ sudo cat /etc/sudoers [sudo] password for aydogar: aydogar is not in the sudoers file. This incident will be reported. aydogar@ubuntu:/home/iotuc$ ``` I think, this is a bug but would love here other ideas and inputs. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2027581/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp