|
Bugzilla – Full Text Bug Listing |
| Summary: | Possible bypass to ALL, !root | ||
|---|---|---|---|
| Product: | Sudo | Reporter: | Sohom Datta <sohom.datta> |
| Component: | Sudo | Assignee: | Todd C. Miller <Todd.Miller> |
| Status: | RESOLVED INVALID | ||
| Severity: | security | ||
| Priority: | low | ||
| Version: | 1.9.4 | ||
| Hardware: | PC | ||
| OS: | Linux | ||
That sudoers entry allows the user to run commands as any group. So "sudo --group=wheel cat /root/.bash_history" will run the command as the current user but with group set to wheel. You can see the user and group IDs by running the id command via sudo. E.g. "sudo --group=wheel id". My guess is that /root/.bash_history is group-readable and that is why you did not need to run the command as root to access it. Sorry for the late reply.. (IRL stuff)... I took a look and it seems like /root/.bash_history was readable by wheel and I didn't use root permissions there... |
Hey, There seems to be this weird bug in sudo where if I set the following security policy for a newly created user with no user groups whatsoever (except the username user group): Matching Defaults entries for guest on sohom-E480: insults, pwfeedback User guest may run the following commands on sohom-E480: (ALL, !root : ALL) ALL I seem to be able to override the ALL, !root command by using the following command: sudo --group=wheel cat /root/.bash_history I've copied the output of some other debugging commands underneath: [guest@sohom-E480 sohom]$ sudo --group=wheel sudo -e /root/.bash_history [sudo] password for guest: sudo: /root/.bash_history unchanged [guest@sohom-E480 sohom]$ sudo -e /root/.bash_history Sorry, user guest is not allowed to execute 'sudoedit /root/.bash_history' as root on sohom-E480. [guest@sohom-E480 sohom]$ id uid=1001(guest) gid=1001(guest) groups=1001(guest) [guest@sohom-E480 sohom]$ sudo --version Sudo version 1.9.3p1 Sudoers policy plugin version 1.9.3p1 Sudoers file grammar version 48 Sudoers I/O plugin version 1.9.3p1 Sudoers audit plugin version 1.9.3p1 [guest@sohom-E480 sohom]$ sudo -l [sudo] password for guest: Matching Defaults entries for guest on sohom-E480: insults, pwfeedback User guest may run the following commands on sohom-E480: (ALL, !root : ALL) ALL PS: I wasn't sure if this was a documented issue with sudo or whether or not this could be construed as a security risk, so I reported it just to be on the safe side :)