Bug 668879 - (CVE-2011-0010) CVE-2011-0010 sudo: does not ask for password on GID changes
CVE-2011-0010 sudo: does not ask for password on GID changes
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20110111,reported=2...
: Security
Depends On: 669472 669664 757157
Blocks: 742493
  Show dependency treegraph
 
Reported: 2011-01-11 17:10 EST by Vincent Danen
Modified: 2015-08-19 05:02 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-02-21 03:30:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-01-11 17:10:26 EST
A Debian bug report [1] indicated that sudo would not ask for a user's password on GID changes, when it should be asking on both UID and GID changes.  Normally, sudo does not allow users to change the GID only, but this can be changed by modifying /etc/sudoers to a non-default configuration, such as:

%group ALL=(ALL:ALL) ALL

rather than the more traditional:

%group ALL=(ALL) ALL

If you change the UID with sudo, you are asked for the user's password (unless NOPASSWD is specified), but this is not the case for GID changing:

$ sudo -l
[sudo] password for vdanen: 
Matching Defaults entries for vdanen on this host:
    requiretty, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME
    HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME
    LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
    LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
    _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User vdanen may run the following commands on this host:
    (ALL : ALL) ALL
$ sudo -g mygroup id
uid=1001(vdanen) gid=504(mygroup) groups=1001(vdanen),504(mygroup)
$ sudo -k
$ sudo -g sudo id
uid=1001(vdanen) gid=504(mygroup) groups=1001(vdanen),504(mygroup)
$ sudo -k        
$ sudo -u root id
[sudo] password for vdanen: 
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

Upstream has corrected this issue upstream [2],[3].

Note that the "ALL:ALL" specification is not valid syntax for sudo 1.6.7p5 as shipped with Red Hat Enterprise Linux 4.

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=609641
[2] http://www.sudo.ws/repos/sudo/rev/fe8a94f96542
[3] http://www.sudo.ws/repos/sudo/rev/07d1b0ce530e
Comment 1 Vincent Danen 2011-01-12 15:52:33 EST
As per upstream, this only affects 1.7.0 through 1.7.4p4:

http://www.sudo.ws/sudo/alerts/runas_group_pw.html
Comment 3 Vincent Danen 2011-01-13 13:39:29 EST
Statement:

(none)
Comment 4 Vincent Danen 2011-01-13 13:41:43 EST
Created sudo tracking bugs for this issue

Affects: fedora-all [bug 669472]
Comment 6 errata-xmlrpc 2011-05-19 07:46:26 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0599 https://rhn.redhat.com/errata/RHSA-2011-0599.html
Comment 9 errata-xmlrpc 2012-02-20 22:21:37 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0309 https://rhn.redhat.com/errata/RHSA-2012-0309.html

Note You need to log in before you can comment on or make changes to this bug.