Bug 753

Summary: I was able to create, but not modify, a file which was a link and 'protected' by 'NOFOLLOW'
Product: Sudo Reporter: Jens Kristensen <kbvej145>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.8.17   
Hardware: IBM   
OS: AIX   

Description Jens Kristensen 2016-07-25 06:06:36 MDT 
I was able to create, but not modify, a file which was a link and 'protected' by 'NOFOLLOW'

Sudo code 1.8.17.1 on AIX 7100-03-04-1441

sudoentry:

sudotest ALL = sudoedit /apphome/current/*

-------------------------

Contents of the directory /apphome/

ls -ls /apphome
total 0
   0 lrwxrwxrwx    1 root     system            2 Jul 25 11:35 current -> v2
   0 drwx------    2 root     system          256 Jul 25 11:43 v1
   0 drwx------    2 root     system          256 Jul 25 13:42 v2

-------------------------

Contents of /apphome/current

   4 -rw-------    1 root     system           11 Jul 25 11:38 app_data_file
   0 lrwxrwxrwx    1 root     system           11 Jul 25 11:45 mypasswd -> /etc/passwd
   0 lrwxrwxrwx    1 root     system           11 Jul 25 13:02 nofile -> /etc/nofile

--------------------------

Show that file /etc/nofile doesn't exist before test

ls -ls /etc/nofile
ls: 0653-341 The file /etc/nofile does not exist.

-------------------------

user sudotest runs 

sudoedit /apphome/current/nofile
# I add text into the file and when I ends the editor with "wq" I get:

sudoedit: unable to write to /apphome/current/nofile: Too many levels of symbolic links
sudoedit: contents of edit session left in /var/tmp/nofile.zpqFWRZQ

 but now an empty file exist in /etc

ls -ls /etc/nofile
   0 -rw-------    1 root     system            0 Jul 25 13:02 /etc/nofile
Comment 1 Jens Kristensen 2016-07-25 06:21:28 MDT 
NOTE - when I try to edit a link to an existing file I get the expected result:

 sudoedit /apphome/current/mypasswd     
sudoedit: /apphome/current/mypasswd: editing symbolic links is not permitted
Comment 2 Todd C. Miller 2016-07-25 07:59:02 MDT 
Confirmed.  This is only a problem on systems that don't support the O_NOFOLLOW flag to the open system call.  There shouldn't be any security impact since sudo still won't follow a link in a writable directory by default.
Comment 3 Todd C. Miller 2016-07-25 10:46:37 MDT 
The issue is that the symlink check is done after the file is opened to avoid a race condition.  However, when creating a new file, this means that the check doesn't happened until much later and a zero-length file is left behind as a side effect.  It's not possible to fix this completely on systems that don't support O_NOFOLLOW, but the following commit adds a check before the open that will prevent it from happening in most cases.

https://www.sudo.ws/repos/sudo/rev/dac04f305262
Comment 4 Todd C. Miller 2016-09-20 15:15:35 MDT 
Fixed in sudo 1.8.18