[10784] in bugtraq

home help back first fref pref prev next nref lref last post

Re: unneeded information in sudo

daemon@ATHENA.MIT.EDU (Randy Mclean)
Thu Jun 10 14:44:21 1999

Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <4.1.19990609135536.00a6f9d0@209.197.196.98>
Date: 	Wed, 9 Jun 1999 14:12:53 -0500
Reply-To: Randy Mclean <rmclean@NATDOOR.COM>
From: Randy Mclean <rmclean@NATDOOR.COM>
X-To:         Bencsath Boldizsar <boldi@BUDAPEST.HU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <Pine.LNX.4.10.9906082113100.25130-100000@sas.fph.hu>

Well I just verified it on FreeBSD. I guess sudo checks if a file exists
before it checks the sudoers list. The fact that sudo is suid, it dose have
access to check the entire system for files. It seems to me that this is a
SLIGHT bug. Even if someone wanted to find the contents of the directory
there would basically have to try file name at random or run a program to
try different letter combinations. In either case the system will send
messages to root  with the list of users who attempt to use sudo and who
arent privileged to use sudo. Also couldnt you just change the
permissions on the files so normal user couldn't access the files anyhow?

At 09:23 PM 6/8/99 +0200, Bencsath Boldizsar wrote:
>Sudo (debian , v1.5.6p2-2) tells anyone if a file exists or not. It's not
>a very big problem, but when i set a directory _not_ accessible to anyone
>but root, I want to make sure, nobody knows what files are in it.
>Both executable and not executables- if there is no file: No such file or
>directory, if it exists: permission denied if not executable, You are not
>in sudoers if executable.
>
>
>> ls -la a
>total 4
>drwx------   2 root     root         1024 Jun  8 21:25 .
>drwx------   7 root     root         1024 Jun  8 21:22 ..
>-rwxr-xr-x   1 root     root         1363 Jun  8 21:23 doit
>> su - alias
>No directory, logging in with HOME=/
>$ /root/a/doit
>su: /root/a/doit: Permission denied
>$ /root/a/doit2
>su: /root/a/doit2: Permission denied
>$ sudo /root/a/doit
>alias is not in the sudoers file.  This incident will be reported.
>
>$ sudo /root/a/doit2
>sudo: /root/a/doit2: No such file or directory
>$ dpkg -l sudo
>...
>||/ Name            Version        Description
>+++-===============-==============-========================================
====
>ii  sudo            1.5.6p2-2      Provides limited super user privileges
>
>> chmod a-x /root/a/doit
>> su - alias
>No directory, logging in with HOME=/
>$ sudo /root/a/doit
>sudo: /root/a/doit: Permission denied
>$ sudo /root/a/doit2
>sudo: /root/a/doit2: No such file or directory
>
>
>boldi

--
Randy Mclean
Security/Network Administrator
rmclean@natdoor.com

home help back first fref pref prev next nref lref last post