[2258] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: security hole in sudo allows users full access

daemon@ATHENA.MIT.EDU (Cy Schubert - ITSD Open Systems Gr)
Sun Nov 14 11:53:28 1999

Message-Id: <199911131641.IAA00700@cwsys.cwsent.com>
Reply-to: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
To: Wade Maxfield <maxfield@ctelcom.net>
cc: linux-security@redhat.com
In-reply-to: Your message of "Thu, 11 Nov 1999 21:38:21 CST."
             <Pine.LNX.4.10.9911112126510.13656-100000@one.ctelcom.net> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Sat, 13 Nov 1999 08:40:49 -0800
Resent-From: linux-security@redhat.com


In message <Pine.LNX.4.10.9911112126510.13656-100000@one.ctelcom.net>, Wade Max
field writes:
> 
>   While sudo is used to give fairly trusted users the ability to run
> programs with root privs, there exists a hole in the one in the RedHat 
> contrib directory (sudo 1.5.9.p4) which allows a minimally trusted user to
> obtain full root access and privilege.
> 
>   If a user is given the opportunity to run any program, that user can
> fool sudo and obtain any level of privilege for any executable.
> 
>   Assume the user can run "/bin/treport" as listed in the sudoers file.
> (The actual program name does not matter.)
> 
>   the user copies /bin/vi to ./treport (assuming the user is in a
> directory in which he has write and execute priv.) the user then executes
> the following line:
> 
> sudo ./treport /etc/shadow
> 
>   vi is executed with root privilege and shadow is opened. The full path
> of treport is not required.  The correct path of treport is not required.
> 
>   This program should be restricted only to _very_ trusted users in the
> meantime.

To fix this reconfigure sudo with --with-ignore-dot or 
--with-secure-path.


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Sun/DEC Team, UNIX Group    Internet:  Cy.Schubert@uumail.gov.bc.ca
ITSD                                   Cy.Schubert@gems8.gov.bc.ca
Province of BC
                      "e**(i*pi)+1=0"

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null
home help back first fref pref prev next nref lref last post