Re: [ESA-20010711-02] sudo elevated privileges vulnerability

[Marlen Caemmerer <nosy () convergence de>]

On Wed, 11 Jul 2001, EnGarde Secure Linux wrote:

>   privileges by leveraging certain commands.
>
>
> DETAIL
> - ------
>   Ralf Hemmann has, via the engarde-users mailing list, brought a security
>   issue with our default /etc/sudoers file to our attention.
>
>   In EnGarde Secure Linux, users in the 'admin' group have more privileges
>   then a normal user.  They are allowed to execute more commands (such as
>   su(1)) and are allowed to read certain configuration files that non-admin
>   users are not allowed to.
>
>   One of these commands is the sudo command, which allows a normal user to
>   execute a command with elevated privileges.  By default, any user in the
>   'admin' group can run several commands as defined in the /etc/sudoers
>   file.



well, yes, when ralf tried to use this sudoers file on a server here he
took my general root privileges so i thought what to do against it.

i did a sudo -l to see if i can get a root shell somehow because i am not
used to having limited privileges.

there was only one command that runs in an editor with shell escape:
/usr/bin/contab.
so i did a "sudo crontab -e" and there i was in my vi with root
privileges.
you can escape to a shell in that editor.
so i was root then.


> SOLUTION
> - --------
>   We are not issuing updated packages to fix this problem, as the
>   /etc/sudoers file is a configuration file which would not be replaced
>   by an updated package.
>
>
>   Solution 1:  No Action at All
>   -----------------------------
>     No action needs to be taken if you:
>
>       a) trust all of the users in your 'admin' group; and

;) then just give them all provileges... ;)

>   Solution 3:  Remove the 'admin' Group Privileges
>   ------------------------------------------------
>     This solution to the problem uses the visudo(8) command to edit the
>     /etc/sudoers file.  Please note that you will be brought in to vi(1)
>     by default.  If you are not comfortable using vi then we recommend
>     you change your EDITOR environment variable to pico(1) by typing:
>
>       # export EDITOR=pico

this will not work for /etc/profile or /root/.bashrc as i tried.
with sudo you simply keep the user's shell environment and the user can
override all environment variables by setting them for his shell.
imho there is no way but setting it in /etc/sudoers.


another solution could be to check if the sudo user can execute any
commands with shell escape.
keep in mind that "less" also has a shell escape because it can invoke the
editor specified by the EDITOR variable of the user.

the FAQ of the sudo page says:

"Q) When I run visudo it uses vi as the editor and I hate vi.  How
                          can I make it use another editor?
A) Your best bet is to run configure with the --with-env-editor switch.
   This will make visudo use the editor specified by the user's
   EDITOR environment variable.  Alternately, you
   can run configure with the --with-editor=/path/to/another/editor.

"


regards,
        nosy