Bug 817

Summary: Null username is converted to root without warning
Product: Sudo Reporter: Tom Hale <tom>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: high    
Priority: low    
Version: 1.8.21   
Hardware: PC   
OS: Linux   

Description Tom Hale 2017-12-10 00:55:58 MST
If -u is passed "" as an argument, the user is assumed to be root.

Example:

$ user=
$ sudo -u "$user" id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),19(log)

Here's the same with a non-null $user variable
$ user=ravi
$ sudo -u "$user" id
uid=1000(ravi) gid=1000(ravi) groups=1000(ravi),6(disk),7(lp),10(wheel),90(network),91(video),93(optical),95(storage),96(scanner),98(power)

This is especially dangerous in scripts where the username may be unset (variable name mistyped perhaps?) or null.

The behaviour fails towards the worst possible case (maximal permissions).

$ sudo --version
Sudo version 1.8.21p2
Sudoers policy plugin version 1.8.21p2
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.21p2
$
Comment 1 Todd C. Miller 2017-12-10 07:53:59 MST
An empty runas user was treated as if no runas user was specified so runas_default was used.

I've added some extra input validation so that empty arguments are no longer accepted for anything but the prompt.

This is fixed by:
https://www.sudo.ws/repos/sudo/rev/143be1bc8316
https://www.sudo.ws/repos/sudo/rev/93cc4f4761f3
Comment 2 Todd C. Miller 2018-01-16 13:59:04 MST
Fixed in sudo 1.8.22, out now.