Sudo
GitHub Blog Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage

Flaw in Runas group matching

Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo -g option (run as group). A flaw exists in the logic that matches Runas groups in the sudoers file when the -u option is also specified (run as user). This flaw results in a positive match for the user specified via -u so long as the group specified via -g is allowed by the sudoers file.

Sudo versions affected:

Sudo 1.7.0 through 1.7.4p3.

CVE ID:

This vulnerability has been assigned CVE-2010-2956 in the Common Vulnerabilities and Exposures database.

Details:

It is possible to specify a lists of users and groups that a command may be run as in a sudoers file entry. For example, given the following sudoers entry:

millert ALL = (lp : operator) /usr/bin/lpq, /usr/bin/lprm, /usr/bin/lpc

user millert may run /usr/bin/lpq, /usr/bin/lprm or /usr/bin/lpc as user lp, group operator or some combination thereof. In this case, the following would all be allowed.

$ sudo -g operator /usr/bin/lpc
$ sudo -u lp /usr/bin/lprm
$ sudo -g operator -u lp /usr/bin/lpq

However, due to a flaw in the matching logic, it is possible for millert to run a listed command as any user so long as an allowed group is also specified. For instance,

$ sudo -g operator -u root /usr/bin/lpq

would be allowed, even though the user should not have permission to run commands as root.

Impact:

Exploitation of the flaw requires that Sudo be configured with sudoers entries that contain a Runas group. Entries that do not contain a Runas group, or only contain a Runas user are not affected.

For example, the following entry is affected because it contains both a Runas user and a Runas group:

millert ALL = (lp : operator) /usr/bin/lpq, /usr/bin/lprm, /usr/bin/lpc

Whereas this one only contains a Runas user and is not affected:

millert ALL = (lp) /usr/bin/lpq, /usr/bin/lprm, /usr/bin/lpc

Fix:

The flaw is fixed in sudo 1.7.4p4.

Credit:

I would like to thank Markus Wuethrich of Swiss Post - PostFinance for reporting this issue via Red Hat.