668879 – (CVE-2011-0010) CVE-2011-0010 sudo: does not ask for password on GID changes

Bug 668879 (CVE-2011-0010) - CVE-2011-0010 sudo: does not ask for password on GID changes

Summary: CVE-2011-0010 sudo: does not ask for password on GID changes

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2011-0010
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	669472 669664 757157
Blocks:	742493
TreeView+	depends on / blocked

Reported:	2011-01-11 22:10 UTC by Vincent Danen
Modified:	2021-02-24 16:46 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-02-21 08:30:43 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0599	0	normal	SHIPPED_LIVE	Low: sudo security and bug fix update	2011-05-19 11:46:21 UTC
Red Hat Product Errata	RHSA-2012:0309	0	normal	SHIPPED_LIVE	Low: sudo security and bug fix update	2012-02-21 07:25:01 UTC

Description Vincent Danen 2011-01-11 22:10:26 UTC

A Debian bug report [1] indicated that sudo would not ask for a user's password on GID changes, when it should be asking on both UID and GID changes.  Normally, sudo does not allow users to change the GID only, but this can be changed by modifying /etc/sudoers to a non-default configuration, such as:

%group ALL=(ALL:ALL) ALL

rather than the more traditional:

%group ALL=(ALL) ALL

If you change the UID with sudo, you are asked for the user's password (unless NOPASSWD is specified), but this is not the case for GID changing:

$ sudo -l
[sudo] password for vdanen: 
Matching Defaults entries for vdanen on this host:
    requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
    HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
    LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User vdanen may run the following commands on this host:
    (ALL : ALL) ALL
$ sudo -g mygroup id
uid=1001(vdanen) gid=504(mygroup) groups=1001(vdanen),504(mygroup)
$ sudo -k
$ sudo -g sudo id
uid=1001(vdanen) gid=504(mygroup) groups=1001(vdanen),504(mygroup)
$ sudo -k        
$ sudo -u root id
[sudo] password for vdanen: 
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

Upstream has corrected this issue upstream [2],[3].

Note that the "ALL:ALL" specification is not valid syntax for sudo 1.6.7p5 as shipped with Red Hat Enterprise Linux 4.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641
[2] http://www.sudo.ws/repos/sudo/rev/fe8a94f96542
[3] http://www.sudo.ws/repos/sudo/rev/07d1b0ce530e

Comment 1 Vincent Danen 2011-01-12 20:52:33 UTC

As per upstream, this only affects 1.7.0 through 1.7.4p4:

http://www.sudo.ws/sudo/alerts/runas_group_pw.html

Comment 3 Vincent Danen 2011-01-13 18:39:29 UTC

Statement:

(none)

Comment 4 Vincent Danen 2011-01-13 18:41:43 UTC

Created sudo tracking bugs for this issue

Affects: fedora-all [bug 669472]

Comment 6 errata-xmlrpc 2011-05-19 11:46:26 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0599 https://rhn.redhat.com/errata/RHSA-2011-0599.html

Comment 9 errata-xmlrpc 2012-02-21 03:21:37 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0309 https://rhn.redhat.com/errata/RHSA-2012-0309.html

Note You need to log in before you can comment on or make changes to this bug.