[10784] in bugtraq
Re: unneeded information in sudo
daemon@ATHENA.MIT.EDU (Randy Mclean)
Thu Jun 10 14:44:21 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <4.1.19990609135536.00a6f9d0@209.197.196.98>
Date: Wed, 9 Jun 1999 14:12:53 -0500
Reply-To: Randy Mclean <rmclean@NATDOOR.COM>
From: Randy Mclean <rmclean@NATDOOR.COM>
X-To: Bencsath Boldizsar <boldi@BUDAPEST.HU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.4.10.9906082113100.25130-100000@sas.fph.hu>
Well I just verified it on FreeBSD. I guess sudo checks if a file exists
before it checks the sudoers list. The fact that sudo is suid, it dose have
access to check the entire system for files. It seems to me that this is a
SLIGHT bug. Even if someone wanted to find the contents of the directory
there would basically have to try file name at random or run a program to
try different letter combinations. In either case the system will send
messages to root with the list of users who attempt to use sudo and who
aren�t privileged to use sudo. Also couldn�t you just change the
permissions on the files so normal user couldn't access the files anyhow?
At 09:23 PM 6/8/99 +0200, Bencsath Boldizsar wrote:
>Sudo (debian , v1.5.6p2-2) tells anyone if a file exists or not. It's not
>a very big problem, but when i set a directory _not_ accessible to anyone
>but root, I want to make sure, nobody knows what files are in it.
>Both executable and not executables- if there is no file: No such file or
>directory, if it exists: permission denied if not executable, You are not
>in sudoers if executable.
>
>
>> ls -la a
>total 4
>drwx------ 2 root root 1024 Jun 8 21:25 .
>drwx------ 7 root root 1024 Jun 8 21:22 ..
>-rwxr-xr-x 1 root root 1363 Jun 8 21:23 doit
>> su - alias
>No directory, logging in with HOME=/
>$ /root/a/doit
>su: /root/a/doit: Permission denied
>$ /root/a/doit2
>su: /root/a/doit2: Permission denied
>$ sudo /root/a/doit
>alias is not in the sudoers file. This incident will be reported.
>
>$ sudo /root/a/doit2
>sudo: /root/a/doit2: No such file or directory
>$ dpkg -l sudo
>...
>||/ Name Version Description
>+++-===============-==============-========================================
====
>ii sudo 1.5.6p2-2 Provides limited super user privileges
>
>> chmod a-x /root/a/doit
>> su - alias
>No directory, logging in with HOME=/
>$ sudo /root/a/doit
>sudo: /root/a/doit: Permission denied
>$ sudo /root/a/doit2
>sudo: /root/a/doit2: No such file or directory
>
>
>boldi
--
Randy Mclean
Security/Network Administrator
rmclean@natdoor.com
