Release Date:
September 7, 2010
Summary:
Beginning with sudo version 1.7.0 it has been possible to grant
permission to run a command using a specified group via sudo
-g option (run as group). A flaw exists in the logic that
matches Runas groups in the sudoers file when the
-u option
is also specified (run as user). This flaw results in a positive
match for the user specified via
-u so long as the group
specified via
-g is allowed by the sudoers file.
Sudo versions affected:
Sudo 1.7.0 through 1.7.4p3.
CVE ID:
This vulnerability has been assigned
CVE-2010-2956
in the
Common
Vulnerabilities and Exposures database.
Details:
It is possible to specify a lists of users and groups that a command
may be run as in a sudoers file entry. For example, given the
following sudoers entry:
millert ALL = (lp : operator) /usr/bin/lpq, /usr/bin/lprm, /usr/bin/lpc
user
millert may run
/usr/bin/lpq,
/usr/bin/lprm
or
/usr/bin/lpc as user
lp, group
operator
or some combination thereof. In this case, the following would all
be allowed.
$ sudo -g operator /usr/bin/lpc
$ sudo -u lp /usr/bin/lprm
$ sudo -g operator -u lp /usr/bin/lpq
However, due to a flaw in the matching logic, it is possible for
millert to run a listed command as
any
user so long as an allowed group is also specified. For instance,
$ sudo -g operator -u root /usr/bin/lpq
would be allowed, even though the user should not have permission to
run commands as root.
Impact:
Exploitation of the flaw requires that Sudo be configured with
sudoers entries that contain a Runas group. Entries that do not
contain a Runas group, or only contain a Runas user are not affected.
For example, the following entry is affected because it contains
both a Runas user and a Runas group:
millert ALL = (lp : operator) /usr/bin/lpq, /usr/bin/lprm, /usr/bin/lpc
Whereas this one only contains a Runas user and is not affected:
millert ALL = (lp) /usr/bin/lpq, /usr/bin/lprm, /usr/bin/lpc
Fix:
The flaw is fixed in sudo 1.7.4p4.
Credit:
I would like to thank Markus Wuethrich of Swiss Post - PostFinance
for reporting this issue via Red Hat.