Bug 41 – If i'm right this couly be nasty

Bug 41 - If i'm right this couly be nasty


Summary:	If i'm right this couly be nasty

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.6.3
Hardware:	PC Linux

Importance:	normal security
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2001-06-13 00:58 MDT by Bas Keur
Modified:	2001-06-15 14:14 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bas Keur 2001-06-13 00:58:34 MDT

server : Jun 12 19:07:33 : user : TTY=pts/1 ; PWD=/var/log ; USER=root ;
COMMAND=/bin/cat messages

This a a output from the mail option in /etc/sudoers
The problem (seems) that it's not logging the real syntax when a person is
piping commands (|) because the the COMMAND should be.
/bin/cat messages |mail my@email.adres
So it seems a person can do sudo echo hi |addusers evilaccess |passwd evilacces
without being logged

Comment 1 Todd C. Miller 2001-06-15 10:14:59 MDT

Things like pipes and I/O redirection are handled by the shell so sudo never sees them (and thus can't do matches based on redirection/pipes or log that part of the command).