Bug 797511

Summary: "sudo -l -U user" may show incorrect privileges for specified user
Product: Red Hat Enterprise Linux 6 Reporter: Rubio <_rubio_>
Component: sudoAssignee: Daniel Kopeček <dkopecek>
Status: CLOSED ERRATA QA Contact: Aleš Mareček <amarecek>
Severity: high Docs Contact:
Priority: urgent    
Version: 6.2CC: amarecek, atolani, cww, ffotorel, jrieden, liko, pvrabec, rdassen, rsawhill
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sudo-1.7.4p5-8.el6 Doc Type: Bug Fix
Doc Text:
The "-l" option is used to list allowed and forbidden commands for the invoking user or for the user specified by the "-U" option. However, previously, the getgrouplist() function incorrectly checked the invoker's group membership instead of the membership of the specified user. Consequently, using the "sudo" command with both the "-l" and "-U" options listed privileges granted to any group the invoker was a member of. The getgrouplist() function has been fixed to properly check the group membership of the intended user rather than checking the invoker's membership. This ensures that the required output is listed when using the "-l" and "-U options.
 Story Points: ---
Clone Of:
: 801807 (view as bug list) Environment:
Last Closed: 2012-06-20 14:18:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 801807, 811879    
Attachments:
Description Flags
*corrected* corrected getgrouplist patch none

Description Rubio 2012-02-26 11:38:59 UTC 
Created attachment 565882 [details]
*corrected* corrected getgrouplist patch

Description of problem:
When asking to see commands granted to a different user via "sudo -l -U", the output will list commands granted to any group that the invoker is a member of, in addition to the actual privileges of the specified user.


Version-Release number of selected component (if applicable):
Any sudo-1.7.3+ with the fix for Bug 668843 (CVE-2011-0008) applied.
(Releases 1.8+ do not show this bug, as the code has been refactored.)

How reproducible:
Always

Steps to Reproduce:
1. Put "user1" in group "group", and keep "user2" out of "group"
2. Grant (via, e.g. "%group   ALL=(ALL) ALL") some command to members of "group"
3. As "user1", run "sudo -l -U user2"

Actual results:
The output will indicate "user2" can run the commands granted in step 2.
Note that "user2" does not actually have the ability to run these commands, and when "user2" runs "sudo -l" as himself the output is correct. 


Expected results:
The output of "user1" invoking "sudo -l -U user2" should correctly reflect the privileges of "user2" (and match the output of "user2" invoking "sudo -l").

Additional info:

Bug 235915 states that "sudo can't always correctly determine group membership" and in the description goes on to specify cases where this would happen.  The patch provided there, which uses getgrouplist() to find groups not visible to getgrnam(), was made only against the group-checking code in user_is_exempt() - it's unclear if the analogous code to check or display a user's access needed similar treatment to pick up groups that might otherwise be missed for the reasons listed in that bug report.  This fix went in for 1.6.8p12-14 and 1.6.9+ but evidently was never accepted upstream, so remained a rh/fedora patch.

Bug 481720 (CVE-2009-0034) was introduced in 1.6.9p10 when a different bit of group-checking code, in usergr_matches(), was optimized to cache supplementary group information of the invoker (which was then accidentally used to check group membership of users other than the invoker, making it appear that arbitrary users were members of any group the invoker was a member of).  This was fixed by using the supplementary group cache only if the user being checked was sudo's invoker; the fix went in upstream with 1.6.9p20.

For 1.7.3, group-checking code was moved to a new function user_in_group(), allowing the various bits of checking code to be replaced with a call to the new function in user_is_exempt(), usergr_matches(), and the check/display access code.
The new function included the requisite check to avoid the 481720 bug (and due to other code changes elsewhere, now used the cache only if the user being checked was either sudo's invoker, or the target of "-U").  235915, however, was still not adopted upstream and still existed only as a rh/fedora patch.  This patch's former home, user_is_exempt(), was now a stub function calling user_in_group().  So for 1.7.3, the patch code was moved essentially unchanged to user_in_group().  Unfortunately its code was written for the user_is_exempt() code path, which cares only about group memberships for sudo's invoker, so only checked the invoker's groups regardless of whose it was supposed to be checking...thus effectively reopening the same privilege leak of 481720 by a different mechanism.

Bug 668843 (CVE-2011-0008) identified the new leak, which was addressed by amending 235915's patch to mimic the handling of 481720 by only using getgrouplist() when the user being checked was sudo's invoker or the target of "-U".  The operational part of the getgrouplist() code, however, still only checked the invoker's groups, as it did before.

Thus, specifying "-U user" can hit the getgrouplist() code ostensibly to check group memberships for the specified user, but the code itself always checks the invoker's group memberships instead.  Bringing about the current bug.

The attached patch fixes the getgrouplist() code to properly look at the group membership of the intended user, rather than always checking the invoker's.  It also drops the 481720esque check, as it is no longer needed (and may in fact prevent some of user_in_group()'s callers from reaping the benefits of using getgrouplist() to avoid the "missing groups" of 235915 that started this all in the first place).
Comment 7 Eliska Slobodova 2012-04-25 11:32:09 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The "-l" option is used to list allowed and forbidden commands for the invoking user or for the user specified by the "-U" option. However, previously, the getgrouplist() function incorrectly checked the invoker's group membership instead of the membership of the specified user. Consequently, using the "sudo" command with both the "-l" and "-U" options listed privileges granted to any group the invoker was a member of. The getgrouplist() function has been fixed to properly check the group membership of the intended user rather than checking the invoker's membership. This ensures that the required output is listed when using the "-l" and "-U options.
Comment 8 Daniel Kopeček 2012-05-04 20:48:21 UTC 
*** Bug 819040 has been marked as a duplicate of this bug. ***
Comment 10 Ryan Sawhill 2012-05-26 03:53:01 UTC 
As far as I can tell this is a full duplicate of the now closed/fixed 811879. Am I missing something?
Comment 11 J.H.M. Dassen (Ray) 2012-05-26 09:14:56 UTC 
(In reply to comment #10)
> As far as I can tell this is a full duplicate of the now closed/fixed
> 811879.

The defect is the same in both, but the release streams that are being targeted are different.

This bug was opened first. It was used to request a fix in RHEL 6.3. After this request was granted, and in light of the impact of this issue, a decision was made to request an accelerated fix in the form of an asynchronous erratum. To track this, bug #811879 was cloned from this one (cf. private comment #5).

Now that bug #811879 is closed through the release of an asynchronous erratum, we must assure that there will be no regression of this defect for customers who have installed the erratum and proceed to update to 6.3, and that's the current role of this bug #797511.
Comment 14 errata-xmlrpc 2012-06-20 14:18:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0905.html