Bug in supplemental group matching

A bug was introduced in Sudo’s group matching code in version 1.6.9 when support for matching based on the supplemental group vector was added. This bug may allow certain users listed in the sudoers file to run a command as a different user than their access rule specifies.

Sudo versions 1.6.9 up to and including 1.6.9p19. Sudo version 1.7.0 is not affected.

This vulnerability has been assigned CVE-2009-0034 in the Common Vulnerabilities and Exposures database.

Given a sudoers rule like the following:

bob ALL=(%users) ALL

user “bob” should only be able to run commands as a user that is a member of the Unix group “users”.

However, due to the bug, if “bob” is himself a member of “users”, he will actually be able to run a command as any user.

The bug only impacts sudoers configurations where a Unix group is used in the RunAs list, which is (%users) in the example above.

For example, the following sudoers rule is not affected by the bug:

bob ALL = ALL

The bug is fixed in sudo 1.6.9p20 and sudo 1.7.0.

This problem was brought to my attention by Harald Koenig.

Code was added to sudo version 1.7.0 to cache the user’s supplemental group vector and use it in group matches. When this changed was back-ported to sudo version 1.6.9, the check to only use the supplemental groups when matching against the invoking user got dropped.