Bug 772 – Man page suggests a rule which can be exploited to gain root

Bug 772 - Man page suggests a rule which can be exploited to gain root


Summary:	Man page suggests a rule which can be exploited to gain root

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Documentation
Version:	1.8.19
Hardware:	PC Other

Importance:	low high
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-01-17 00:03 MST by Paul "Joey" Clark
Modified:	2017-05-10 10:36 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Paul "Joey" Clark 2017-01-17 00:03:03 MST

The man page suggests pete be allowed to change everybody's password except for roots:

    pete		HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root

Unfortunately, it is easy for pete to change root's password.  He just needs to run:

    sudo passwd root -q

My suggestion to better secure this rule would be to disallow any call to passwd when any of the arguments contains "root":

    pete		HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*

Comment 1 Todd C. Miller 2017-01-17 08:57:43 MST

Yes, this is not safe on systems with GNU getopt(3) (primarily Linux) where options can follow arguments.  It's not an issue with POSIX getopt(3) were option processing stops after the first non-option.

Fixed by https://www.sudo.ws/repos/sudo/rev/c809f1372811

Comment 2 Todd C. Miller 2017-05-10 10:36:02 MDT

Documentation change is present in sudo 1.8.20, available now.