Release Date:
January 29, 2009
Summary:
A bug was introduced in Sudo's group matching code in version 1.6.9
when support for matching based on the supplemental group vector was
added. This bug may allow certain users listed in the sudoers file
to run a command as a different user than their access rule specifies.
Sudo versions affected:
Sudo versions 1.6.9 up to and including 1.6.9p19.
Sudo version 1.7.0 is not affected.
CVE ID:
This vulnerability has been assigned
CVE-2009-0034
in the
Common
Vulnerabilities and Exposures database.
Details:
Given a sudoers rule like the following:
bob ALL=(%users) ALL
user
bob should only be able to run commands as a user that
is a member of the Unix group
users.
However, due to the bug, if bob is himself a member of
users, he will actually be able to run a command as
any user.
Impact:
The bug only impacts
sudoers configurations where a Unix group
is used in the RunAs list, which is
(%users) in the example above.
For example, the following sudoers rule is not affected
by the bug:
bob ALL = ALL
Fix:
The bug is fixed in sudo 1.6.9p20 and sudo 1.7.0.
Credit:
This problem was brought to my attention by Harald Koenig.
Background:
Code was added to sudo version 1.7.0 to cache the user's supplemental
group vector and use it in group matches. When this changed was
back-ported to sudo version 1.6.9, the check to only use the
supplemental groups when matching against the invoking user got
dropped.