Public bug reported:

(Tracking bug from upstream:
https://github.com/trifectatechfoundation/sudo-rs/issues/1613)

This was submitted on 23 May 2025 by @thesmartshadow

We consider the issue described below a non-compliance bug in sudo-rs (i.e. in 
a certain configuration the behaviour diverges). It can be summarised as that 
sudo-rs behaves as ogsudo with:
```
Defaults!sudoedit,list !pam_acct_mgmt
```
In /etc/sudoers.

We have analysed this report carefully in the view of available
documentation and PAM account modules:

* The expectation of a sysadmin set by available documentation is
important; many generic PAM account modules typically talk about "login
access control", i.e. whether a user is allowed to access their account.
It is not clear that this necessarily should limit the availability of
`sudoedit` (and neither is this clearly specified in the sudoedit
documentation). Furthermore, it is reasonable to expect that such
generic modules also apply for the account as a whole and then a user
wouldn't have easy access to `sudoedit`.

* Of course there is a "persistence-after-revocation" possibility if an
account expires while the user is logged in. But this presumes a user
with malicious intent that at some point in time is logged in and has
valid and permitted access to `sudoedit`, which essentially means a
system is already compromised.

* In the example of `pam_time`, a similar situation happens. We consider
it bug that `sudoedit` doesn't listen to this policy, but to turn this
into an attack implies having a user with malicious intent has
privileges to `sudoedit` if they simply wait until the right time.

* Other PAM account modules are of a type to configure access in a way
that for sudo would be the non-obvious way to do things (for example,
why would one use `pam_listfile` to specifically configure who can run
`sudo`/`sudoedit` when `/etc/sudoers` would be the obvious place to do
that).

** Affects: rust-sudo-rs (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2160217

Title:
  PAM account-policy bypass in sudoedit permits unauthorized privileged
  file modification

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/rust-sudo-rs/+bug/2160217/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to