Bug 23 – Root passwd vulnerable to change.

Bug 23 - Root passwd vulnerable to change.


Summary:	Root passwd vulnerable to change.

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Visudo
Version:	1.6.3
Hardware:	All All

Importance:	normal normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2001-01-21 14:22 MST by aaron
Modified:	2001-01-21 19:15 MST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description aaron 2001-01-21 14:22:53 MST

Tested on i386 linux RH 6.1 & 6.2.

if a user has /usr/bin/passwd as an allowed command then a user can change the
root passwd by typing

"sudo passwd"

and then entering a passwd.  Adding lines like !/usr/bin/passwd root to the
sudoers file does not change this behaviour.  Sudo SHOULD change the users
passwd by default if no user is specified.

Comment 1 Todd C. Miller 2001-01-21 15:15:59 MST

This is not a bug in sudo.  If you don't want a user to be able to change root's
password then don't give them access /usr/bin/passwd or restrict them to running
it with an argument (that is not "root").