Bug 912

Summary: Sudoedit can be tricked through symlinks from a temporarily nonwritable directory
Product: Sudo Reporter: Siim Ainsaar <ainsaar>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: security    
Priority: normal    
Version: 1.8.30   
Hardware: PC   
OS: Linux   

Description Siim Ainsaar 2020-01-10 16:56:32 MST 
Sudoedit (sudo -e) normally disallows any symlinks in the path to the edited file that lie in user-writable directories. This was implemented in response to bug 707. However, that logic does not take into account that a user can change the write permissions of his/her own directories. Therefore, if given a permission to use sudoedit somewhere under his/her home directory, actually any file in the filesystem can be edited.

Steps to reproduce:
cd
mkdir t
ln -s / t/r
chmod -w t
sudo -e t/r/etc/shadow

Perhaps it would be better to forbid any symlinks in the file path, no matter whether writable or not? Or somehow apply realpath before validating the access permissions? The latter would probably mean some new syntax in the sudoers file.

Tested versions:
1.8.21p2 (from current Ubuntu 18.04.3 LTS)
1.8.30
Comment 1 Todd C. Miller 2020-01-11 06:26:45 MST 
The check should probably be expanded to include user-writable or user-owned directories.
Comment 2 Todd C. Miller 2020-01-11 15:43:16 MST 
Fixed in https://www.sudo.ws/repos/sudo/rev/91a1a9c0ba40
Comment 3 Todd C. Miller 2020-06-19 06:14:41 MDT 
The fix was included in Sudo 1.8.31