Bug 738

Summary: non-root user can list privileges of other users
Product: Sudo Reporter: quansitec
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.8.6   
Hardware: PC   
OS: Linux   

Description quansitec 2016-02-26 07:46:34 MST
Configuration:
- sudo configured with LDAP
- user testuser with non-root privileges

Logged as user testuser, it is possible to list the sudo privileges of another user (i.e. mike). This behavior is observed only if sudo is configured to use LDAP.


testuser@server ~ $ id
uid=90001(testuser) gid=90000(testgroup) groups=90000(testgroup)
testuser@server ~ $ sudo -l
[sudo] password for testuser:
User testuser is not allowed to run sudo on server.
testuser@server ~ $ sudo -l -U mike
Matching Defaults entries for mike on this host:
    requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
    LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL
    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2
    QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
    LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

User mike may run the following commands on this host:
    (ALL) ALL
    (ALL) ALL
Comment 1 Todd C. Miller 2016-02-26 09:33:30 MST
Thanks for the report, I've just fixed this in https://www.sudo.ws/repos/sudo/rev/e8ed706fda03

The fix will be in the next sudo 1.8.16 beta, 1.8.16b2
Comment 2 quansitec 2016-02-26 09:48:07 MST
Todd,

Super fast response.
Many thanks

Cosmin
Comment 3 Todd C. Miller 2016-02-29 16:03:02 MST
Sudo 1.8.16b2 is now available which includes the fix.
Comment 4 Todd C. Miller 2016-03-17 10:17:16 MDT
Fixed in 1.8.16, available now.