Ubuntu
sudo package

visudo will open existing sudoers.tmp

Bug #39061 reported by Tristan Wibberley
4
Affects Status Importance Assigned to Milestone
sudo (Ubuntu)
Confirmed
Low
Unassigned

Bug Description

By code inspection (I haven't tried to make this happen in case I screw up and open my system to the world), visudo in current dapper will open sudoers.tmp without O_EXCL.

This is clearly done for a reason, ie to prevent DoS on visudo if a machine is misconfigured to allow somebody to only create new files in /etc (which is not actually terribly unreasonable - although it is a bit stupid - for a multiadmin machine using sudo).

The upshot is that if somebody could do just that (create /etc/sudoers.tmp), they could make it permissive and visudo would only truncate it - enabling the configuration to be altered if the timing is right - ie before visudo changes the mode - or if an fd is already open. Through this means a restricted admin could theoretically gain additional privileges.

Is there a good argument against using mkstemp here (ie having a /etc/sudoers.d/ directory - setting its permissions and ownership to the same as /etc/ and making a temporary file securely in there)?

Revision history for this message
Tristan Wibberley (tristan-wibberley) wrote :

This is related to, but distinct from: https://launchpad.net/distros/ubuntu/+source/sudo/+bug/16700

as it is not the location that is the problem, but the means by which the file is opened/truncated.

Revision history for this message
Kees Cook (kees) wrote :

Arguably, if someone can create the .tmp file in /etc/, they have access to a great deal more. :)

Generally, there is a locking issue, as two visudo's could run at the same time, too.

Changed in sudo:
importance: Medium → Low
status: Unconfirmed → Confirmed
Revision history for this message
Tristan Wibberley (tristan-wibberley) wrote : Re: [Bug 39061] Re: visudo will open existing sudoers.tmp

Kees Cook wrote:
> Arguably, if someone can create the .tmp file in /etc/, they have access
> to a great deal more. :)

With the default "root or bust" configuration that's true. But I like to
consider the things I wouldn't consider doing. There should be an area
for this that has a well documented purpose specifying "this directory +
  this file control sudo" rather than it looking like "this file alone
controls sudo" when that's not quite true.

I think most security breaches are due to blurring of the boundaries of
use cases and blurred boundaries have a tendency to go wrong.

I agree with the low importance though.

--
Tristan Wibberley

These opinions are my own, and do not reflect those of my employer.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.