Bug 863

Summary: I wonder that -s option is necessary?
Product: Sudo Reporter: ultractgm
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED INVALID    
Severity: normal    
Priority: low    
Version: 1.8.19   
Hardware: PC   
OS: Linux   

Description ultractgm 2018-12-05 08:46:30 MST 
Sometimes, I use a sudo command with -s options for keeping environment variables for users account(sudoer). I also know -s option run the shell specified by the SHELL environment variable. But the SHELL environment variable can be manipulated by other users having same privilege.

So, I think an adversary is able to abuse the changing SHELL environment variable for privilege escalation like a video below.

https://youtu.be/JSQjIm7377o (unlisted state)

I know it is uncertain whether the sudo is executed with -s option by sudoer.
Anyway, the -s option is really necessary?
Comment 1 Todd C. Miller 2018-12-05 09:19:23 MST 
The -s option does not give any extra privileges that are not already granted by the sudoers file.  It is really just shorthand for running a shell.  If the SHELL environment variable is set to a command the user is not allowed to run, the user will be unable to run "sudo -s".

If an adversary is able to alter the user's SHELL environment variable it is likely they are able to do other things such as create an "sudo" alias or function that performs some malicious task.

If a user running sudo does not have a secure environment where the shell configuration files cannot be modified by others then it is not safe to run sudo (or su for that matter).
Comment 2 ultractgm 2018-12-05 19:31:15 MST 
(In reply to Todd C. Miller from comment #1)
> The -s option does not give any extra privileges that are not
> already granted by the sudoers file.  It is really just shorthand
> for running a shell.  If the SHELL environment variable is set to a
> command the user is not allowed to run, the user will be unable to
> run "sudo -s".

Yes, I know -s option doesn't give any extra privileges.
But, it just executes a string in the SHELL environment variable as root
And, if the adversary got a privilege escalation as a root, they will restore it to the original. So, the user won't feel strange.


> If an adversary is able to alter the user's SHELL environment
> variable it is likely they are able to do other things such as
> create an "sudo" alias or function that performs some malicious task.

Yes, if the adversary has a privilege of a sudoer account, the adversary will change a login password by a passwd command. And then they can do malicious behaviors as a sudoer. But the user will take some action to stop it as soon as they realize the password was changed.

 
> If a user running sudo does not have a secure environment where the
> shell configuration files cannot be modified by others then it is
> not safe to run sudo (or su for that matter).

I agree with your advice. But, I think it is difficult without changing a password of sudoer. Also, most of the linux users don't know whether they have a secure environment for sudo or su. They just depend on the secure environment made by the linux distributions.

In short, If the adversary has a local privilege of a sudoer, they can do malicious behaviors covertly by abusing the SHELL environment variable.
Comment 3 ultractgm 2018-12-07 00:23:10 MST 
I correct my comment above.
Even if the adversary has a privilege of a sudoer account, they can't change a login password. Because they don't know the password.