Public bug reported: Expected 18.04 behavior, regular user cannot stop root process:
``` $ docker run --rm -it ubuntu:18.04 bash root@584d4bcca9d3:/# apt-get update Get:1 http://security.ubuntu.com/ubuntu bionic-security InRelease [102 kB] Get:2 http://archive.ubuntu.com/ubuntu bionic InRelease [242 kB] Get:3 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages [1637 kB] Get:4 http://security.ubuntu.com/ubuntu bionic-security/restricted amd64 Packages [1688 kB] Get:5 http://security.ubuntu.com/ubuntu bionic-security/multiverse amd64 Packages [23.8 kB] Get:6 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages [3373 kB] Get:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [102 kB] Get:8 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [102 kB] Get:9 http://archive.ubuntu.com/ubuntu bionic/restricted amd64 Packages [13.5 kB] Get:10 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages [11.3 MB] Get:11 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages [1344 kB] Get:12 http://archive.ubuntu.com/ubuntu bionic/multiverse amd64 Packages [186 kB] Get:13 http://archive.ubuntu.com/ubuntu bionic-updates/multiverse amd64 Packages [30.8 kB] Get:14 http://archive.ubuntu.com/ubuntu bionic-updates/restricted amd64 Packages [1728 kB] Get:15 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages [2411 kB] Get:16 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages [3786 kB] Get:17 http://archive.ubuntu.com/ubuntu bionic-backports/main amd64 Packages [64.0 kB] Get:18 http://archive.ubuntu.com/ubuntu bionic-backports/universe amd64 Packages [20.6 kB] Fetched 28.2 MB in 3s (8820 kB/s) Reading package lists... Done root@584d4bcca9d3:/# apt-get install sudo Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: sudo 0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded. Need to get 430 kB of archives.$ docker run --rm -it ubuntu:18.04 bash root@584d4bcca9d3:/# apt-get update Get:1 http://security.ubuntu.com/ubuntu bionic-security InRelease [102 kB] Get:2 http://archive.ubuntu.com/ubuntu bionic InRelease [242 kB] Get:3 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages [1637 kB] Get:4 http://security.ubuntu.com/ubuntu bionic-security/restricted amd64 Packages [1688 kB] Get:5 http://security.ubuntu.com/ubuntu bionic-security/multiverse amd64 Packages [23.8 kB] Get:6 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages [3373 kB] Get:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [102 kB] Get:8 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [102 kB] Get:9 http://archive.ubuntu.com/ubuntu bionic/restricted amd64 Packages [13.5 kB] Get:10 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages [11.3 MB] Get:11 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages [1344 kB] Get:12 http://archive.ubuntu.com/ubuntu bionic/multiverse amd64 Packages [186 kB] Get:13 http://archive.ubuntu.com/ubuntu bionic-updates/multiverse amd64 Packages [30.8 kB] Get:14 http://archive.ubuntu.com/ubuntu bionic-updates/restricted amd64 Packages [1728 kB] Get:15 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages [2411 kB] Get:16 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages [3786 kB] Get:17 http://archive.ubuntu.com/ubuntu bionic-backports/main amd64 Packages [64.0 kB] Get:18 http://archive.ubuntu.com/ubuntu bionic-backports/universe amd64 Packages [20.6 kB] Fetched 28.2 MB in 3s (8820 kB/s) Reading package lists... Done root@584d4bcca9d3:/# apt-get install sudo Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: sudo 0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded. Need to get 430 kB of archives. After this operation, 1765 kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 sudo amd64 1.8.21p2-3ubuntu1.6 [430 kB] Fetched 430 kB in 0s (1531 kB/s) debconf: delaying package configuration, since apt-utils is not installed Selecting previously unselected package sudo. (Reading database ... 4050 files and directories currently installed.) Preparing to unpack .../sudo_1.8.21p2-3ubuntu1.6_amd64.deb ... Unpacking sudo (1.8.21p2-3ubuntu1.6) ... Setting up sudo (1.8.21p2-3ubuntu1.6) ... root@584d4bcca9d3:/# useradd -m test root@584d4bcca9d3:/# echo "test ALL=(ALL) NOPASSWD: /bin/sleep" >> /etc/sudoers.d/test root@584d4bcca9d3:/# su - test $ sudo sleep infinity & echo $! 268 $ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 18516 3484 pts/0 Ss 17:59 0:00 bash root 264 0.0 0.0 49276 3064 pts/0 S 18:00 0:00 su - test test 265 0.0 0.0 4636 792 pts/0 S 18:00 0:00 -su root 268 0.0 0.0 47708 3520 pts/0 S 18:00 0:00 sudo sleep infinity root 269 0.0 0.0 4540 852 pts/0 S 18:00 0:00 sleep infinity test 270 0.0 0.0 34412 2916 pts/0 R+ 18:00 0:00 ps aux $ kill 268 -su: 3: kill: Operation not permitted $ kill 269 -su: 4: kill: Operation not permitted $ echo "done!" done! $ exit root@584d4bcca9d3:/# exit exit After this operation, 1765 kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 sudo amd64 1.8.21p2-3ubuntu1.6 [430 kB] Fetched 430 kB in 0s (1531 kB/s) debconf: delaying package configuration, since apt-utils is not installed Selecting previously unselected package sudo. (Reading database ... 4050 files and directories currently installed.) Preparing to unpack .../sudo_1.8.21p2-3ubuntu1.6_amd64.deb ... Unpacking sudo (1.8.21p2-3ubuntu1.6) ... Setting up sudo (1.8.21p2-3ubuntu1.6) ... root@584d4bcca9d3:/# useradd -m test root@584d4bcca9d3:/# echo "test ALL=(ALL) NOPASSWD: /bin/sleep" >> /etc/sudoers.d/test root@584d4bcca9d3:/# su - test $ sudo sleep infinity & echo $! 268 $ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 18516 3484 pts/0 Ss 17:59 0:00 bash root 264 0.0 0.0 49276 3064 pts/0 S 18:00 0:00 su - test test 265 0.0 0.0 4636 792 pts/0 S 18:00 0:00 -su root 268 0.0 0.0 47708 3520 pts/0 S 18:00 0:00 sudo sleep infinity root 269 0.0 0.0 4540 852 pts/0 S 18:00 0:00 sleep infinity test 270 0.0 0.0 34412 2916 pts/0 R+ 18:00 0:00 ps aux $ kill 268 -su: 3: kill: Operation not permitted $ kill 269 -su: 4: kill: Operation not permitted $ echo "done!" done! $ exit root@584d4bcca9d3:/# exit exit ``` Expected 20.04 behavior, regular user cannot stop root process: ``` $ docker run --rm -it ubuntu:20.04 bash root@f9c9cf1d85d6:/# apt-get update Get:1 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB] Get:2 http://security.ubuntu.com/ubuntu focal-security InRelease [128 kB] Get:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease [128 kB] Get:4 http://archive.ubuntu.com/ubuntu focal-backports InRelease [128 kB] Get:5 http://archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [177 kB] Get:6 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [1275 kB] Get:7 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [11.3 MB] Get:8 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [30.9 kB] Get:9 http://archive.ubuntu.com/ubuntu focal/restricted amd64 Packages [33.4 kB] Get:10 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [1566 kB] Get:11 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [4570 kB] Get:12 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [4289 kB] Get:13 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [1276 kB] Get:14 http://archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [33.5 kB] Get:15 http://archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [28.6 kB] Get:16 http://archive.ubuntu.com/ubuntu focal-backports/main amd64 Packages [55.2 kB] Get:17 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [4111 kB] Get:18 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [4090 kB] Fetched 33.5 MB in 2s (13.5 MB/s) Reading package lists... Done root@f9c9cf1d85d6:/# apt-get install sudo Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: sudo 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 515 kB of archives. After this operation, 2257 kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 sudo amd64 1.8.31-1ubuntu1.5 [515 kB] Fetched 515 kB in 1s (662 kB/s) debconf: delaying package configuration, since apt-utils is not installed Selecting previously unselected package sudo. (Reading database ... 4124 files and directories currently installed.) Preparing to unpack .../sudo_1.8.31-1ubuntu1.5_amd64.deb ... Unpacking sudo (1.8.31-1ubuntu1.5) ... Setting up sudo (1.8.31-1ubuntu1.5) ... root@f9c9cf1d85d6:/# useradd -m test root@f9c9cf1d85d6:/# echo "test ALL=(ALL) NOPASSWD: /bin/sleep" >> /etc/sudoers.d/test root@f9c9cf1d85d6:/# su - test $ sudo sleep infinity & echo $! 270 $ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 4112 3536 pts/0 Ss 18:08 0:00 bash root 266 0.0 0.0 4520 2908 pts/0 S 18:09 0:00 su - test test 267 0.0 0.0 2612 1904 pts/0 S 18:09 0:00 -sh root 270 0.0 0.0 5008 3504 pts/0 S 18:09 0:00 sudo sleep infinity root 271 0.0 0.0 2512 580 pts/0 S 18:09 0:00 sleep infinity test 272 0.0 0.0 5896 2872 pts/0 R+ 18:09 0:00 ps aux $ kill 270 -sh: 3: kill: Operation not permitted $ kill 271 -sh: 4: kill: Operation not permitted $ exit root@f9c9cf1d85d6:/# exit exit ``` Bad/unexpected 22.04 behavior, non root user is permitted to kill root process: ``` $ docker run --rm -it ubuntu:22.04 bash root@1fb06b5a21bb:/# apt-get update Get:1 http://security.ubuntu.com/ubuntu jammy-security InRelease [129 kB] Get:2 http://archive.ubuntu.com/ubuntu jammy InRelease [270 kB] Get:3 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 Packages [44.7 kB] Get:4 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [128 kB] Get:5 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 Packages [3241 kB] Get:6 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [127 kB] Get:7 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages [1792 kB] Get:8 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [2397 kB] Get:9 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages [17.5 MB] Get:10 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 Packages [1163 kB] Get:11 http://archive.ubuntu.com/ubuntu jammy/restricted amd64 Packages [164 kB] Get:12 http://archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages [266 kB] Get:13 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [2696 kB] Get:14 http://archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 Packages [51.8 kB] Get:15 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [1452 kB] Get:16 http://archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 Packages [3353 kB] Get:17 http://archive.ubuntu.com/ubuntu jammy-backports/main amd64 Packages [81.4 kB] Get:18 http://archive.ubuntu.com/ubuntu jammy-backports/universe amd64 Packages [33.7 kB] Fetched 34.9 MB in 3s (10.2 MB/s) Reading package lists... Done root@1fb06b5a21bb:/# apt-get install sudo Reading package lists... Done Building dependency tree... Done Reading state information... Done The following NEW packages will be installed: sudo 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 821 kB of archives. After this operation, 2568 kB of additional disk space will be used. Get:1 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 sudo amd64 1.9.9-1ubuntu2.4 [821 kB] Fetched 821 kB in 1s (963 kB/s) debconf: delaying package configuration, since apt-utils is not installed Selecting previously unselected package sudo. (Reading database ... 4393 files and directories currently installed.) Preparing to unpack .../sudo_1.9.9-1ubuntu2.4_amd64.deb ... Unpacking sudo (1.9.9-1ubuntu2.4) ... Setting up sudo (1.9.9-1ubuntu2.4) ... Processing triggers for libc-bin (2.35-0ubuntu3.8) ... root@1fb06b5a21bb:/# useradd -m test root@1fb06b5a21bb:/# echo "test ALL=(ALL) NOPASSWD: /bin/sleep" >> /etc/sudoers.d/test root@1fb06b5a21bb:/# su - test $ sudo sleep infinity & echo $! 255 $ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 4624 3808 pts/0 Ss 18:02 0:00 bash root 251 0.0 0.0 6232 3568 pts/0 S 18:02 0:00 su - test test 252 0.0 0.0 2888 1032 pts/0 S 18:02 0:00 -sh root 255 0.0 0.0 7236 4404 pts/0 S 18:02 0:00 sudo sleep infinity root 256 0.0 0.0 7236 564 pts/1 Ss+ 18:02 0:00 sudo sleep infinity root 257 0.0 0.0 2788 1056 pts/1 S 18:02 0:00 sleep infinity test 258 0.0 0.0 7060 1604 pts/0 R+ 18:03 0:00 ps aux $ kill 255 $ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.0 0.0 4624 3808 pts/0 Ss 18:02 0:00 bash root 251 0.0 0.0 6232 3568 pts/0 S 18:02 0:00 su - test test 252 0.0 0.0 2888 1032 pts/0 S 18:02 0:00 -sh test 259 0.0 0.0 7060 1584 pts/0 R+ 18:03 0:00 ps aux [1] + Terminated sudo sleep infinity $ exit root@1fb06b5a21bb:/# exit exit ``` Note that this behavior was repeated outside of a Docker container a regular system install and the results are the same, I just provide Docker containers as an example here for easy reproduceability. Also I am not sure if this would fall under sudo package or a different package so I am opening against sudo first. I also dont know if this is new expected behavior starting in 22.04, but at least from my perspective it breaks from historical expected behavior. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: sudo 1.9.9-1ubuntu2.4 ProcVersionSignature: Ubuntu 6.8.0-49.49~22.04.1-generic 6.8.12 Uname: Linux 6.8.0-49-generic x86_64 ApportVersion: 2.20.11-0ubuntu82.6 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: ubuntu:GNOME Date: Mon Dec 16 15:18:10 2024 InstallationDate: Installed on 2023-01-03 (712 days ago) InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: sudo UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: sudo (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug jammy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2091898 Title: Non root user is able to kill root process started with sudo To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2091898/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
