Bug 389

Summary: sudoedit permission in sudoers grants permission to any sudoedit executables
Product: Sudo Reporter: neonsignal <neonsignal-sudo>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: security    
Priority: low    
Version: 1.6.9   
Hardware: PC   
OS: Linux   

Description neonsignal 2010-01-29 02:47:53 MST
My understanding is that permission to sudoedit is granted by a line in the sudoer file like this:

   user1 ALL = sudoedit /etc/network/interfaces

This works as expected (because the string sudoedit is a special case), eg

   user1@host1:~$ sudoedit /etc/network/interfaces

However, it also appears to grant access to sudo any executable called 'sudoedit' (if the appropriate parameters are passed in). For example, a user executable in the home directory called sudoedit:

   #!/bin/sh
   whoami

can be invoked using

   user1@host1:~$ sudo ./sudoedit /etc/network/interfaces

I had expected that because sudoedit is a special case string, that it should not match anything apart from invoking /usr/bin/sudoedit.

This problem was encountered with build 1.6.9p17 of sudo on a Debian Lenny system. The issue was pointed out to me by Glenn Waller (Brisbane, Australia).
Comment 1 neonsignal 2010-01-29 19:30:09 MST
A test by a colleague of the original reporter ('slouching' on linuxquestions.org) did not show this problem in an earlier version sudo-1.6.8p12-12.el5.
Comment 2 Todd C. Miller 2010-02-23 06:47:03 MST
Fixed in sudo 1.7.2p4