Flaw in Runas group matching
Beginning with sudo version 1.7.0 it has been possible to grant
permission to run a command using a specified group via sudo
-g
option (run as group). A flaw exists in the logic that
matches Runas groups in the sudoers file when the -u
option
is also specified (run as user). This flaw results in a positive
match for the user specified via -u
so long as the group
specified via -g
is allowed by the sudoers file.
Sudo 1.7.0 through 1.7.4p3.
This vulnerability has been assigned CVE-2010-2956 in the Common Vulnerabilities and Exposures database.
It is possible to specify a lists of users and groups that a command may be run as in a sudoers file entry. For example, given the following sudoers entry:
millert ALL = (lp : operator) /usr/bin/lpq, /usr/bin/lprm, /usr/bin/lpc
user millert
may run /usr/bin/lpq
, /usr/bin/lprm
or /usr/bin/lpc
as user lp
, group operator
or some combination thereof. In this case, the following would all
be allowed.
$ sudo -g operator /usr/bin/lpc
$ sudo -u lp /usr/bin/lprm
$ sudo -g operator -u lp /usr/bin/lpq
However, due to a flaw in the matching logic, it is possible for
millert
to run a listed command as any
user so long as an allowed group is also specified. For instance,
$ sudo -g operator -u root /usr/bin/lpq
would be allowed, even though the user should not have permission to run commands as root.
Exploitation of the flaw requires that Sudo be configured with sudoers entries that contain a Runas group. Entries that do not contain a Runas group, or only contain a Runas user are not affected.
For example, the following entry is affected because it contains both a Runas user and a Runas group:
millert ALL = (lp : operator) /usr/bin/lpq, /usr/bin/lprm, /usr/bin/lpc
Whereas this one only contains a Runas user and is not affected:
millert ALL = (lp) /usr/bin/lpq, /usr/bin/lprm, /usr/bin/lpc
The flaw is fixed in sudo 1.7.4p4.
I would like to thank Markus Wuethrich of Swiss Post - PostFinance for reporting this issue via Red Hat.