Re: [ESA-20010711-02] sudo elevated privileges vulnerability

["Jonathan A. Zdziarski" <jonathan.zdziarski () micromuse com>]

These kinds of issues with sudo have been around for years.  Even if you
deleted vi from the system, you can still do anything you want if you have
root privs to the right binaries:

tar: (to perform backups, etc) Untar a new password file overwriting the
old, or untar a setuid root shell leaving the bit set.

passwd: (to change people's passwords): Obviously, they can change root's
password or someone else who has higher privs

find: (to perform searches): the exec clause will allow the user to perform
whatever operations they desire as root!

vi: Not only can they escape to a shell, they can write to any file they
want to, execute shell commands and read them into the buffer (:r !), and
*unintentionally* really screw up the system if they press the wrong key.

crontab: Can run malicious scripts or binaries as root designed to give them
root privileges.

Any binary: May have a buffer overflow vulnerability.

This is the reason most people feel the software isn't something that needs
to be 'fixed', but rather understood better.  There really ought to be a
good philosophy for 'sudo' with any systems group.  Playing around with root
privileges is very dangerous if you don't have a full grasp on the dangers
of giving someone sudo privs.  Even if you do, the next buffer-overflow
vulnerability may be for that totally safe binary you just gave someone
access to.  What it boils down to is, if you don't trust someone with full
access to the machine, don't give them sudo privileges.  In your crontab
situation, even if you couldn't drop to a shell in vi, you could easily set
up a root cron to perform an echo 'password' | passwd root and then just su
yourself, or do a million other things.  sudo is a great *tracking* tool but
a bad security control tool IMHO.

I do think, however, that any unix implementation coming with default sudo
priviledges is inherently "buggy" on the same level as installing linux
without the shadow password suite.

Anyhow, now that I'm finished with my lecture if you really want to give
someone the ability to run crontab under sudo, you see it really doesn't
matter if they can escape to a shell in vi because they can easily change
the root password, add themselves to the bottom of the sudoers file, or do a
million other things with cron so you ought to be able to trust them with
full root privs anyway.

If, however, you are looking for a good way to allow someone to edit files
using sudo, and have already rejected the idea of using groups or acls,
consider 'elvis'.  Elvis is a 'vi' emulator designed to look and feel just
like vi, only it has a 'paranoid' mode you can run it in for secure edits,
which will disable shells, executing commands, and a million other things in
vi that could give someone root.