Bug 389 – sudoedit permission in sudoers grants permission to any sudoedit executables

Bug 389 - sudoedit permission in sudoers grants permission to any sudoedit executables


Summary:	sudoedit permission in sudoers grants permission to any sudoedit executables

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.6.9
Hardware:	PC Linux

Importance:	low security
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2010-01-29 02:47 MST by neonsignal
Modified:	2010-02-23 06:47 MST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description neonsignal 2010-01-29 02:47:53 MST

My understanding is that permission to sudoedit is granted by a line in the sudoer file like this:

   user1 ALL = sudoedit /etc/network/interfaces

This works as expected (because the string sudoedit is a special case), eg

   user1@host1:~$ sudoedit /etc/network/interfaces

However, it also appears to grant access to sudo any executable called 'sudoedit' (if the appropriate parameters are passed in). For example, a user executable in the home directory called sudoedit:

   #!/bin/sh
   whoami

can be invoked using

   user1@host1:~$ sudo ./sudoedit /etc/network/interfaces

I had expected that because sudoedit is a special case string, that it should not match anything apart from invoking /usr/bin/sudoedit.

This problem was encountered with build 1.6.9p17 of sudo on a Debian Lenny system. The issue was pointed out to me by Glenn Waller (Brisbane, Australia).

Comment 1 neonsignal 2010-01-29 19:30:09 MST

A test by a colleague of the original reporter ('slouching' on linuxquestions.org) did not show this problem in an earlier version sudo-1.6.8p12-12.el5.

Comment 2 Todd C. Miller 2010-02-23 06:47:03 MST

Fixed in sudo 1.7.2p4