Re: sudo bug grants arbitrary rlimit privs

Sat, 07 Dec 2013 04:33:58 -0800 

On Sat, Dec 07, 2013 at 07:51:03AM -0430, Andres Perera wrote:
> given a group-allowed command in sudoers, sudo allows escalating to the 
> rlimit privileges of an arbitrary login class by authenticating to a group 
> that the dude is part of.
> 
> /etc/sudoers:
> 
> andres ALL=(andres:andres) /bin/sh -c ulimit\ -a
> 
> Never in the life should this happen:
> 
> $ id
> uid=1000(andres) gid=1000(andres) groups=1000(andres)
> 
> $ ulimit -a
> time(cpu-seconds)    unlimited
> file(blocks)         unlimited
> coredump(blocks)     unlimited
> data(kbytes)         524288
> stack(kbytes)        4096
> lockedmem(kbytes)    2668116
> memory(kbytes)       7984972
> nofiles(descriptors) 512
> processes            128
> 
> $ s -gandres -cdaemon sh -c ulimit\ -a 
> time(cpu-seconds)    unlimited
> file(blocks)         unlimited
> coredump(blocks)     unlimited
> data(kbytes)         8388608
> stack(kbytes)        8192
> lockedmem(kbytes)    2668116
> memory(kbytes)       7984972
> nofiles(descriptors) 128
> processes            1310
> 
> The finding and fixing of this bug was sponsored by the retarded people that 
> participated in this thread:
> http://marc.info/?t=133293504200001&r=1&w=1
> 
> diff --git a/usr.bin/sudo/sudo.c b/usr.bin/sudo/sudo.c
> index 6faf87d..eaa8bc5 100644
> --- a/usr.bin/sudo/sudo.c
> +++ b/usr.bin/sudo/sudo.c
> @@ -1214,8 +1214,7 @@ set_loginclass(pw)
>  
>      if (login_class && strcmp(login_class, "-") != 0) {
>       if (user_uid != 0 &&
> -         ((!runas_user && runas_group) ||
> -         (strcmp(runas_user ? runas_user : def_runas_default, "root") != 0)))
> +         strcmp(runas_user ? runas_user : def_runas_default, "root") != 0)
>           errorx(1, "only root can use -c %s", login_class);
>      } else {
>       login_class = pw->pw_class;

In my excitement to pass on the news, the patch was mistakenly reversed.

The correct fix is the following:

diff --git a/usr.bin/sudo/sudo.c b/usr.bin/sudo/sudo.c
index eaa8bc5..6faf87d 100644
--- a/usr.bin/sudo/sudo.c
+++ b/usr.bin/sudo/sudo.c
@@ -1214,7 +1214,8 @@ set_loginclass(pw)
 
     if (login_class && strcmp(login_class, "-") != 0) {
        if (user_uid != 0 &&
-           strcmp(runas_user ? runas_user : def_runas_default, "root") != 0)
+           ((!runas_user && runas_group) ||
+           (strcmp(runas_user ? runas_user : def_runas_default, "root") != 0)))
            errorx(1, "only root can use -c %s", login_class);
     } else {
        login_class = pw->pw_class;

Reply via email to