Comment 0 for bug 1512781
Revision history for this message
| Dmitry Lapshin (lapshin-dv) wrote CVE-2015-5602 - Unauthorized Privilege | #0 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
9199653
demo site
(Get the code!)
https:/
As descpribed in the link above, sudo versions lower or equal than 1.8.14 have a security issue: user with root access to a path with more than one wildcard can access forbidden files such as /etc/shadow, because sudoedit (sudo -e) does not verifiy full path of accessed file:
(quote from link above)
It seems that sudoedit does not check the full path if a wildcard is used
twice (e.g. /home/*
file.txt real file with a symbolic link to a different location (e.g.
/etc/shadow).
As an expample,
1. Give user `usr' right to edit some his files:
usr ALL=(root) NOPASSWD: sudoedit /home/*/*/test.txt
2. Under usr, create ~/temp directory, and then create a symblink ~/temp/test.txt to /etc/shadow
3. Perform sudoedit ~/temp/test.txt - you will able to access /etc/shadow.
What realease if affected: tested on all supported now Ubuntu versions. For personaly me, it's 14.04 LTS.
What version is affected: as mentioned, all versions <=1.8.14. For personally me, it's 1.8.9.5
What was expected and happend instead: sudoedit should check full real path, but it didn't.