A vulnerability was found in Sudo through 1.8.29, the fact that a user has been blocked (e.g., by using the ! character in the shadow file instead of a password hash) is not considered, allowing an attacker (who has access to a Runas ALL sudoer account) to impersonate any blocked user. Reference: https://www.sudo.ws/stable.html#1.8.30 https://www.sudo.ws/devel.html#1.8.30b2
Created sudo tracking bugs for this issue: Affects: fedora-all [bug 1786709]
Upstream patch: https://www.sudo.ws/repos/sudo/rev/ed6db31729cd
Analysis: Basically in shadow file, when an account is disabled by replacing the hash with "!", it is not considered disabled by sudo. And depending on the configuration, sudo can be run by using such disabled account. The new runas_check_shell sudoers setting can be used to require that the runas user have a shell listed in the /etc/shells file. On many systems, users such as bin, do not have a valid shell and this flag can be used to prevent commands from being run as those users.
Statement: The new runas_check_shell sudoers setting can be used to require that the runas user have a shell listed in the /etc/shells file. On many systems, users such as bin, do not have a valid shell and this flag can be used to prevent commands from being run as those users.
External References: https://www.sudo.ws/stable.html#1.8.30
Mitigation: This flaw basically allows users which have disabled account in /etc/shadow (password is replaced with '!) to have sudo access. Systems not having such disabled account, or systems disabling sudo access for such accounts using other means (such as not allowing such users to run sudo via access control mechanisms) are not affected by this flaw.