Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 351490 (CVE-2011-0010) - <app-admin/sudo-1.7.4_p5: Flaw in Runas Group password checking (CVE-2011-0010)
Summary: <app-admin/sudo-1.7.4_p5: Flaw in Runas Group password checking (CVE-2011-0010)
Status: RESOLVED FIXED
Alias: CVE-2011-0010
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.sudo.ws/sudo/alerts/runas_...
Whiteboard: A1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-01-12 21:40 UTC by Tim Sammut (RETIRED)
Modified: 2012-03-06 02:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-01-12 21:40:22 UTC
From $URL:

Summary:
Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo's -g option (run as group), if allowed by the sudoers file. A flaw exists in sudo's password checking logic that allows a user to run a command with only the group changed without being prompted for a password.

Sudo versions affected:
Sudo 1.7.0 through 1.7.4p4.

CVE ID:
This vulnerability has been assigned CVE CVE-2011-0010 in the Common Vulnerabilities and Exposures database.

Details:
It is possible to specify lists of users and groups that a command may be run as in a sudoers file entry. For example, given the following sudoers entry:

    %sudo ALL = (ALL : ALL) ALL

a user in the sudo group will be permitted to run any command with any combination of user or group. When sudo determines whether or not to prompt for a password, it first checks whether the invoking user is root, the invoking user is a member of an "exempt" group, or that the target user is the same as the invoking user. If any of those three conditions are true, no password is required. When the "runas group" support was added in sudo 1.7.0, this logic was not updated to take the target group into account. This resulted in sudo incorrectly skipping the password check when the target user is the same as the invoking user, but the invoking user is not a member of the target group.

Impact:
Exploitation of the flaw requires that sudo be configured with sudoers entries that contain a Runas group. Entries that do not contain a Runas group, or only contain a Runas user are not affected.

For example, the following entry is affected because it contains both a Runas user and a Runas group:

    %sudo ALL = (ALL : ALL) ALL

Whereas this one only contains a Runas user and is not affected:

    %wheel ALL = (ALL) ALL

Note that this flaw does not allow a user to run unauthorized commands, it only affects user authentication.

Fix:
The flaw is fixed in sudo 1.7.4p5.
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-01-12 21:52:13 UTC
Seen the release notes, bumping in a moment.
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2011-01-12 22:26:41 UTC
In tree now.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-01-12 22:28:48 UTC
(In reply to comment #2)
> In tree now.
> 

Great, thank you. Are we ok to call for stabilization now? 
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-01-12 22:38:47 UTC
(In reply to comment #3)
> 
> Great, thank you. Are we ok to call for stabilization now? 
> 

Thanks for the go-ahead via IRC.

Arches, please test and mark stable:
=app-admin/sudo-1.7.4_p5
Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2011-01-12 22:54:47 UTC
This is a nasty security issue. amd64 done
Comment 6 Alex Buell 2011-01-12 23:51:47 UTC
Tested on SPARC, sudo works as usual, no problems found. Please stabilise.
Comment 7 Andreas Schürch gentoo-dev 2011-01-13 07:58:46 UTC
I tested it on x86, looks good over here.
Comment 8 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-01-13 08:02:33 UTC
ppc/ppc64 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2011-01-13 14:29:05 UTC
Stable for HPPA.
Comment 10 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-01-15 10:36:19 UTC
x86 stable, thanks Andreas
Comment 11 Markus Meier gentoo-dev 2011-01-15 12:13:43 UTC
arm stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2011-01-15 12:32:36 UTC
alpha/ia64/m68k/s390/sh/sparc stable
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-01-15 15:05:16 UTC
Thanks, folks. GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2011-06-20 11:23:05 UTC
CVE-2011-0010 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0010):
  check.c in sudo 1.7.x before 1.7.4p5, when a Runas group is configured, does
  not require a password for command execution that involves a gid change but
  no uid change, which allows local users to bypass an intended authentication
  requirement via the -g option to a sudo command.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2012-03-06 02:03:46 UTC
This issue was resolved and addressed in
 GLSA 201203-06 at http://security.gentoo.org/glsa/glsa-201203-06.xml
by GLSA coordinator Sean Amoss (ackle).