First Last Prev Next    This bug is not in your last search results.
Bug 912 - Sudoedit can be tricked through symlinks from a temporarily nonwritable directory
Sudoedit can be tricked through symlinks from a temporarily nonwritable direc...
Status: RESOLVED FIXED
Product: Sudo
Classification: Unclassified
Component: Sudo
1.8.30
PC Linux
: normal security
Assigned To: Todd C. Miller
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-01-10 16:56 MST by Siim Ainsaar
Modified: 2020-06-19 06:14 MDT (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Siim Ainsaar 2020-01-10 16:56:32 MST 
Sudoedit (sudo -e) normally disallows any symlinks in the path to the edited file that lie in user-writable directories. This was implemented in response to bug 707. However, that logic does not take into account that a user can change the write permissions of his/her own directories. Therefore, if given a permission to use sudoedit somewhere under his/her home directory, actually any file in the filesystem can be edited.

Steps to reproduce:
cd
mkdir t
ln -s / t/r
chmod -w t
sudo -e t/r/etc/shadow

Perhaps it would be better to forbid any symlinks in the file path, no matter whether writable or not? Or somehow apply realpath before validating the access permissions? The latter would probably mean some new syntax in the sudoers file.

Tested versions:
1.8.21p2 (from current Ubuntu 18.04.3 LTS)
1.8.30
Comment 1 Todd C. Miller 2020-01-11 06:26:45 MST 
The check should probably be expanded to include user-writable or user-owned directories.
Comment 2 Todd C. Miller 2020-01-11 15:43:16 MST 
Fixed in https://www.sudo.ws/repos/sudo/rev/91a1a9c0ba40
Comment 3 Todd C. Miller 2020-06-19 06:14:41 MDT 
The fix was included in Sudo 1.8.31
First Last Prev Next    This bug is not in your last search results.