Bug 23

Summary: Root passwd vulnerable to change.
Product: Sudo Reporter: aaron
Component: VisudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: normal    
Version: 1.6.3   
Hardware: All   
OS: All   

Description aaron 2001-01-21 14:22:53 MST 
Tested on i386 linux RH 6.1 & 6.2.

if a user has /usr/bin/passwd as an allowed command then a user can change the
root passwd by typing

"sudo passwd"

and then entering a passwd.  Adding lines like !/usr/bin/passwd root to the
sudoers file does not change this behaviour.  Sudo SHOULD change the users
passwd by default if no user is specified.
Comment 1 Todd C. Miller 2001-01-21 15:15:59 MST 
This is not a bug in sudo.  If you don't want a user to be able to change root's
password then don't give them access /usr/bin/passwd or restrict them to running
it with an argument (that is not "root").