[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

security hole in sudo allows users full access

From: Wade Maxfield <maxfield ctelcom net>
To: linux-security redhat com
Subject: security hole in sudo allows users full access
Date: Thu, 11 Nov 1999 21:38:21 -0600 (CST)

  While sudo is used to give fairly trusted users the ability to run
programs with root privs, there exists a hole in the one in the RedHat 
contrib directory (sudo 1.5.9.p4) which allows a minimally trusted user to
obtain full root access and privilege.

  If a user is given the opportunity to run any program, that user can
fool sudo and obtain any level of privilege for any executable.

  Assume the user can run "/bin/treport" as listed in the sudoers file.
(The actual program name does not matter.)

  the user copies /bin/vi to ./treport (assuming the user is in a
directory in which he has write and execute priv.) the user then executes
the following line:

sudo ./treport /etc/shadow

  vi is executed with root privilege and shadow is opened. The full path
of treport is not required.  The correct path of treport is not required.

  This program should be restricted only to _very_ trusted users in the
meantime.


wade

[mod: Note that many operations that normally require "root" will
"give away" root when allowed under "sudo" with a little puzzeling.
This, however, is unforgivable..... -- REW]

Follow-Ups:
- [linux-security] Re: security hole in sudo allows users full access
  - From: Cy Schubert - ITSD Open Systems Group

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]