Bug 924

Summary: Sudo parses '-u' argument several times. Security implications.
Product: Sudo Reporter: Diego Blanco <diego.blanco>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: enhancement    
Priority: low    
Version: 1.8.27   
Hardware: PC   
OS: Linux   

Description Diego Blanco 2020-05-02 13:12:34 MDT 
I have found the following behavior:

$ sudo -u www-data id
uid=33(www-data) gid=33(www-data) grupos=33(www-data)

$ sudo -u www-data -u root id
uid=0(root) gid=0(root) grupos=0(root)

I actually found this in a "hack me" machine in a laboratory. A program allowed in the sudoers file had a different vulnerability to be exploited but I could exploit this one as much easier.

The program in question was executed as root via sudo, but internally it validated the provided credentials of a user and then executed commands as that user using "sudo -u user <command_here>". It was converted to a list of arguments to avoid other forms of command injection.

For this reason, if I authenticated as any user but then run "-u root <my_command> it run as root.

I know that this program is nonsense and that, at the very least it shoudl run as "sudo -u user -- <command_here>", however I wonder why sudo allows this as it is clear that it can lead to security problems while I fail to see any advantage to this behavior.

I tested this also in current debian and ubuntu versions (sudo 1.8.27), reproducing the results.

I am sorry if I am failing to see something here but I though it would worth to open a bug about this.
Comment 1 Todd C. Miller 2020-05-11 20:56:59 MDT 
Sudo 1.9.0 includes a change to only allow command line options that take an argument to be specified once.