Bug 753 – I was able to create, but not modify, a file which was a link and 'protected' by 'NOFOLLOW'

Bug 753 - I was able to create, but not modify, a file which was a link and 'protected' by 'NOFOLLOW'


Summary:	I was able to create, but not modify, a file which was a link and 'protected'...

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.8.17
Hardware:	IBM AIX

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2016-07-25 06:06 MDT by Jens Kristensen
Modified:	2016-09-20 15:15 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jens Kristensen 2016-07-25 06:06:36 MDT

I was able to create, but not modify, a file which was a link and 'protected' by 'NOFOLLOW'

Sudo code 1.8.17.1 on AIX 7100-03-04-1441

sudoentry:

sudotest ALL = sudoedit /apphome/current/*

-------------------------

Contents of the directory /apphome/

ls -ls /apphome
total 0
   0 lrwxrwxrwx    1 root     system            2 Jul 25 11:35 current -> v2
   0 drwx------    2 root     system          256 Jul 25 11:43 v1
   0 drwx------    2 root     system          256 Jul 25 13:42 v2

-------------------------

Contents of /apphome/current

   4 -rw-------    1 root     system           11 Jul 25 11:38 app_data_file
   0 lrwxrwxrwx    1 root     system           11 Jul 25 11:45 mypasswd -> /etc/passwd
   0 lrwxrwxrwx    1 root     system           11 Jul 25 13:02 nofile -> /etc/nofile

--------------------------

Show that file /etc/nofile doesn't exist before test

ls -ls /etc/nofile
ls: 0653-341 The file /etc/nofile does not exist.

-------------------------

user sudotest runs 

sudoedit /apphome/current/nofile
# I add text into the file and when I ends the editor with "wq" I get:

sudoedit: unable to write to /apphome/current/nofile: Too many levels of symbolic links
sudoedit: contents of edit session left in /var/tmp/nofile.zpqFWRZQ

 but now an empty file exist in /etc

ls -ls /etc/nofile
   0 -rw-------    1 root     system            0 Jul 25 13:02 /etc/nofile

Comment 1 Jens Kristensen 2016-07-25 06:21:28 MDT

NOTE - when I try to edit a link to an existing file I get the expected result:

 sudoedit /apphome/current/mypasswd     
sudoedit: /apphome/current/mypasswd: editing symbolic links is not permitted

Comment 2 Todd C. Miller 2016-07-25 07:59:02 MDT

Confirmed.  This is only a problem on systems that don't support the O_NOFOLLOW flag to the open system call.  There shouldn't be any security impact since sudo still won't follow a link in a writable directory by default.

Comment 3 Todd C. Miller 2016-07-25 10:46:37 MDT

The issue is that the symlink check is done after the file is opened to avoid a race condition.  However, when creating a new file, this means that the check doesn't happened until much later and a zero-length file is left behind as a side effect.  It's not possible to fix this completely on systems that don't support O_NOFOLLOW, but the following commit adds a check before the open that will prevent it from happening in most cases.

https://www.sudo.ws/repos/sudo/rev/dac04f305262

Comment 4 Todd C. Miller 2016-09-20 15:15:35 MDT

Fixed in sudo 1.8.18