Bug 616

Summary: If a user can change the clock and sudo has previously been run, they can escalate without typing their password.
Product: Sudo Reporter: tntc.tig
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: security CC: meklu
Priority: normal    
Version: 1.8.7   
Hardware: All   
OS: All   

Description tntc.tig 2013-09-08 14:11:17 MDT 
On OS X and Ubuntu, the clock is not locked by default. This means that if an admin has escalated with sudo in the past, someone could change the clock back to the time/date when they escalated last, then run sudo without needing a password.

Sudo should probably use a monotonic clock.

See ubuntu bug #1219337 for reference.
Comment 1 tntc.tig 2013-09-08 14:22:20 MDT 
For reference, we discussed this on the following reddit thread:
http://www.reddit.com/r/linux/comments/1lyev4/is_your_clock_locked/
Comment 2 Todd C. Miller 2013-09-08 16:03:33 MDT 
Sudo should probably use clock_gettime() with CLOCK_MONOTONIC where possible.  I'll take a look at doing this for sudo 1.8.9.
Comment 3 tntc.tig 2013-09-08 16:32:37 MDT 
(In reply to Todd C Miller from comment #2)
> Sudo should probably use clock_gettime() with CLOCK_MONOTONIC where
> possible.  I'll take a look at doing this for sudo 1.8.9.

Thanks Todd! You rock!
Comment 4 Melker Narikka 2013-09-08 18:19:39 MDT 
 The CLOCK_MONOTONIC clock is affected by NTP adjustments and adjtime, which may potentially cause some issues. CLOCK_MONOTONIC_RAW on Linux however is thankfully not adjustable, so it might be more desirable in this case. A common culprit with the two is that the clock doesn't increment when the system is suspended.

CLOCK_BOOTTIME (introduced in Linux 2.6.39, don't know of a Darwin/BSD equivalent) however, does increment but otherwise has the same issues as plain CLOCK_MONOTONIC. If only CLOCK_BOOTTIME_RAW were a thing. :(
Comment 5 Todd C. Miller 2013-09-09 15:21:20 MDT 
I'm not too concerned with adjtime() changing the clock as it can only move forward incrementally.

One problem with using CLOCK_MONOTONIC, CLOCK_MONOTONIC_RAW and CLOCK_BOOTTIME is we lose the ability to detect time stamps that predate the system booting.  The user's session ID is now stored in the time stamp file which helps, but it would still be possible to reboot, log in repeatedly until you get the matching session, and then be able to use sudo without entering a password.

This argues for moving the time stamps back to /var/run (or similar) and storing the lecture status somewhere else.
Comment 6 tntc.tig 2013-09-09 19:24:47 MDT 
> The user's session ID is now stored in
> the time stamp file which helps, but it would still be possible to
> reboot, log in repeatedly until you get the matching session, and
> then be able to use sudo without entering a password.

Rebooting? Pff. You can read auth.log, which happens to store the session ID and the PTY. Why not just launch terminals with setsid to generate new sids until you match the right one from auth.log? Then you can just launch new terminals until you match the PTY. Or you need to do it the other way maybe. On Ubuntu, for example, setsid is installed by default. 

Hell, on OS X right now, they don't even create the files with the SIDs, they just use the timestamp on the FOLDER /var/db/<username>.

(OS X Lion has 1.7.4p6, and the version of OS X I'm running has version 1.7.10p7)
Comment 7 tntc.tig 2014-01-26 12:50:01 MST 
Any updates on this one? I see 1.8.9 is out, but no mention of a fix. Is there anything I can do to further help out?
Comment 8 Todd C. Miller 2014-01-26 14:15:29 MST 
Due to a large number of internal changes in sudo 1.8.9 this got pushed back to 1.8.10.  I'll update this bug when there is a version available for testing.
Comment 9 Todd C. Miller 2014-01-30 16:03:32 MST 
I've just committed code to use a new timestamp format, http://www.sudo.ws/repos/sudo/rev/7e16eb37bacc

I'll probably make a beta version of sudo 1.8.10 available with this change soon but you can checkout and try sudo trunk to get the changes now if you'd like.  Annoyingly Mac OS X lacks clock_gettime() but it is possible to get at the monotonic timers via mach calls.
Comment 10 Todd C. Miller 2014-02-02 13:21:03 MST 
The first beta of sudo 1.8.10 is available: http://www.sudo.ws/devel.html#1.8.10b1
Comment 11 tntc.tig 2014-02-02 18:17:28 MST 
(In reply to Todd C Miller from comment #10)
> The first beta of sudo 1.8.10 is available:
> http://www.sudo.ws/devel.html#1.8.10b1

Yeah man! That did it! Just tested it on OS X 10.9! Excellent!
Comment 12 tntc.tig 2014-02-02 18:35:09 MST 
(In reply to Todd C Miller from comment #10)
> The first beta of sudo 1.8.10 is available:
> http://www.sudo.ws/devel.html#1.8.10b1

Also adding a video of it working. Thanks again!

http://www.youtube.com/watch?v=NdJezFasyso
Comment 13 Todd C. Miller 2014-03-10 10:37:21 MDT 
Fixed in sudo 1.8.10, out now.
Comment 14 tntc.tig 2014-03-10 20:11:22 MDT 
(In reply to Todd C Miller from comment #13)
> Fixed in sudo 1.8.10, out now.

Awesome! Thanks Todd! You rock!