Bug 668879 (CVE-2011-0010)
| Summary: | CVE-2011-0010 sudo: does not ask for password on GID changes | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | amarecek, bressers, dkopecek, green, kzak, wnefal+redhatbugzilla |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-02-21 08:30:43 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 669472, 669664, 757157 | ||
| Bug Blocks: | 742493 | ||
As per upstream, this only affects 1.7.0 through 1.7.4p4: http://www.sudo.ws/sudo/alerts/runas_group_pw.html Statement: (none) Created sudo tracking bugs for this issue Affects: fedora-all [bug 669472] This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0599 https://rhn.redhat.com/errata/RHSA-2011-0599.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0309 https://rhn.redhat.com/errata/RHSA-2012-0309.html |
A Debian bug report [1] indicated that sudo would not ask for a user's password on GID changes, when it should be asking on both UID and GID changes. Normally, sudo does not allow users to change the GID only, but this can be changed by modifying /etc/sudoers to a non-default configuration, such as: %group ALL=(ALL:ALL) ALL rather than the more traditional: %group ALL=(ALL) ALL If you change the UID with sudo, you are asked for the user's password (unless NOPASSWD is specified), but this is not the case for GID changing: $ sudo -l [sudo] password for vdanen: Matching Defaults entries for vdanen on this host: requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User vdanen may run the following commands on this host: (ALL : ALL) ALL $ sudo -g mygroup id uid=1001(vdanen) gid=504(mygroup) groups=1001(vdanen),504(mygroup) $ sudo -k $ sudo -g sudo id uid=1001(vdanen) gid=504(mygroup) groups=1001(vdanen),504(mygroup) $ sudo -k $ sudo -u root id [sudo] password for vdanen: uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) Upstream has corrected this issue upstream [2],[3]. Note that the "ALL:ALL" specification is not valid syntax for sudo 1.6.7p5 as shipped with Red Hat Enterprise Linux 4. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641 [2] http://www.sudo.ws/repos/sudo/rev/fe8a94f96542 [3] http://www.sudo.ws/repos/sudo/rev/07d1b0ce530e