September 15, 2004
A flaw in exists in sudo's -e option (aka sudoedit) in sudo version
1.6.8 that can give an attacker read permission to a file that would
otherwise be unreadable.
Sudo versions affected:
While sudoedit runs the actual editor as the invoking user, the
temporary file is then re-opened with root privileges. An attacker
can run sudoedit, remove the editor temporary file, make a link to
an unreadable file with the same name as the old temporary file
and quit the editor. The file being edited via sudoedit will now
contain a copy of the previously unreadable file.
Exploitation of the bug requires that the sudoers file be configured
to allow the attacker to run sudoedit. If no users have been granted
access to sudoedit there is no impact.
The bug is fixed in sudo 1.6.8p1.
This problem was brought to my attention by Reznic Valery.