[Touch-packages] [Bug 2027581] [NEW] useradd will grand root privileges for admin user

Bugra Aydogar Wed, 12 Jul 2023 06:35:54 -0700

Public bug reported:

Hi,


As part of the Ubuntu Core 20, if a developer creates a user named
either admin or Admin, it will have  root privileges by default. I think
that this is a security issue but it requires input from the security
engineers/specialists.

Basically, if you look at the sudoers file under `/etc/sudoers`, you
will realize the following line;

```
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
```

And if someone creates a user by using admin as name, the system provide
root privilege.

```
sudo useradd -s /bin/bash -u 8003 -d /home/Admin --extrausers Admin
iotuc@ubuntu:~$ su Admin
Password:
Admin@ubuntu:/home/iotuc$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied
Admin@ubuntu:/home/iotuc$ sudo cat /etc/sudoers
[sudo] password for Admin:
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults    env_reset
Defaults    mail_badpass
Defaults    
secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root    ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo    ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
Admin@ubuntu:/home/iotuc$
```

Similarly, if I create a username called aydogar, it does not have root
privilege and this is expected.

```
sudo useradd -s /bin/bash -u 8004 -d /home/aydogar --extrausers aydogar
iotuc@ubuntu:~$ su aydogar
Password:
aydogar@ubuntu:/home/iotuc$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied
aydogar@ubuntu:/home/iotuc$ sudo cat /etc/sudoers
[sudo] password for aydogar:
aydogar is not in the sudoers file.  This incident will be reported.
aydogar@ubuntu:/home/iotuc$
```

I think, this is a bug but would love here other ideas and inputs.

** Affects: sudo (Ubuntu)
     Importance: Undecided
         Status: New

** Description changed:

  Hi,
  
- As part of the Ubuntu Core 20.04, if a developer creates a user named
+ As part of the Ubuntu Core 20, if a developer creates a user named
  either admin or Admin, it will have  root privileges by default. I think
  that this is a security issue but it requires input from the security
  engineers/specialists.
  
  Basically, if you look at the sudoers file under `/etc/sudoers`, you
  will realize the following line;
  
  ```
  # Members of the admin group may gain root privileges
  %admin ALL=(ALL) ALL
  ```
  
- And if someone creates a user by using admin as name, the system provide root 
privilege. 
-  
+ And if someone creates a user by using admin as name, the system provide
+ root privilege.
+ 
  ```
  sudo useradd -s /bin/bash -u 8003 -d /home/Admin --extrausers Admin
  iotuc@ubuntu:~$ su Admin
- Password: 
+ Password:
  Admin@ubuntu:/home/iotuc$ cat /etc/sudoers
  cat: /etc/sudoers: Permission denied
  Admin@ubuntu:/home/iotuc$ sudo cat /etc/sudoers
- [sudo] password for Admin: 
+ [sudo] password for Admin:
  #
  # This file MUST be edited with the 'visudo' command as root.
  #
  # Please consider adding local content in /etc/sudoers.d/ instead of
  # directly modifying this file.
  #
  # See the man page for details on how to write a sudoers file.
  #
  Defaults    env_reset
  Defaults    mail_badpass
  Defaults    
secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
  # Host alias specification
  # User alias specification
  # Cmnd alias specification
  # User privilege specification
  root    ALL=(ALL:ALL) ALL
  # Members of the admin group may gain root privileges
  %admin ALL=(ALL) ALL
  # Allow members of group sudo to execute any command
  %sudo    ALL=(ALL:ALL) ALL
  # See sudoers(5) for more information on "#include" directives:
  #includedir /etc/sudoers.d
- Admin@ubuntu:/home/iotuc$ 
+ Admin@ubuntu:/home/iotuc$
  ```
  
  Similarly, if I create a username called aydogar, it does not have root
  privilege and this is expected.
  
  ```
  sudo useradd -s /bin/bash -u 8004 -d /home/aydogar --extrausers aydogar
  iotuc@ubuntu:~$ su aydogar
- Password: 
+ Password:
  aydogar@ubuntu:/home/iotuc$ cat /etc/sudoers
  cat: /etc/sudoers: Permission denied
  aydogar@ubuntu:/home/iotuc$ sudo cat /etc/sudoers
- [sudo] password for aydogar: 
+ [sudo] password for aydogar:
  aydogar is not in the sudoers file.  This incident will be reported.
- aydogar@ubuntu:/home/iotuc$ 
+ aydogar@ubuntu:/home/iotuc$
  ```
  
  I think, this is a bug but would love here other ideas and inputs.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/2027581

Title:
  useradd will grand root privileges  for admin user

Status in sudo package in Ubuntu:
  New

Bug description:
  Hi,

  As part of the Ubuntu Core 20, if a developer creates a user named
  either admin or Admin, it will have  root privileges by default. I
  think that this is a security issue but it requires input from the
  security engineers/specialists.

  Basically, if you look at the sudoers file under `/etc/sudoers`, you
  will realize the following line;

  ```
  # Members of the admin group may gain root privileges
  %admin ALL=(ALL) ALL
  ```

  And if someone creates a user by using admin as name, the system
  provide root privilege.

  ```
  sudo useradd -s /bin/bash -u 8003 -d /home/Admin --extrausers Admin
  iotuc@ubuntu:~$ su Admin
  Password:
  Admin@ubuntu:/home/iotuc$ cat /etc/sudoers
  cat: /etc/sudoers: Permission denied
  Admin@ubuntu:/home/iotuc$ sudo cat /etc/sudoers
  [sudo] password for Admin:
  #
  # This file MUST be edited with the 'visudo' command as root.
  #
  # Please consider adding local content in /etc/sudoers.d/ instead of
  # directly modifying this file.
  #
  # See the man page for details on how to write a sudoers file.
  #
  Defaults    env_reset
  Defaults    mail_badpass
  Defaults    
secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
  # Host alias specification
  # User alias specification
  # Cmnd alias specification
  # User privilege specification
  root    ALL=(ALL:ALL) ALL
  # Members of the admin group may gain root privileges
  %admin ALL=(ALL) ALL
  # Allow members of group sudo to execute any command
  %sudo    ALL=(ALL:ALL) ALL
  # See sudoers(5) for more information on "#include" directives:
  #includedir /etc/sudoers.d
  Admin@ubuntu:/home/iotuc$
  ```

  Similarly, if I create a username called aydogar, it does not have
  root privilege and this is expected.

  ```
  sudo useradd -s /bin/bash -u 8004 -d /home/aydogar --extrausers aydogar
  iotuc@ubuntu:~$ su aydogar
  Password:
  aydogar@ubuntu:/home/iotuc$ cat /etc/sudoers
  cat: /etc/sudoers: Permission denied
  aydogar@ubuntu:/home/iotuc$ sudo cat /etc/sudoers
  [sudo] password for aydogar:
  aydogar is not in the sudoers file.  This incident will be reported.
  aydogar@ubuntu:/home/iotuc$
  ```

  I think, this is a bug but would love here other ideas and inputs.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2027581/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 2027581] [NEW] useradd will grand root privileges for admin user

Reply via email to