sudo doesn't ask for password when only the GID is changed

Debian Bug report logs - #609641
sudo doesn't ask for password when only the GID is changed

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Alexander Kurtz <kurtz.alex@googlemail.com>

To: submit@bugs.debian.org

Cc: debian-security@lists.debian.org

Subject: sudo doesn't ask for password when only the GID is changed

Date: Tue, 11 Jan 2011 08:13:04 +0100

[Message part 1 (text/plain, inline)]

Package: sudo
Version: 1.7.4p4-2
Severity: important
Tags: security

Hi,

normally sudo doesn't allow to change the GID only:

	$ sudo -g staff id
	Sorry, user alexander is not allowed to execute '/usr/bin/id' as alexander:staff on alexander.
	$

The solution for this is to change the %sudo entry in /etc/sudoers like
this:

	%sudo ALL=(ALL:ALL) ALL

This line has been the default in sid for over a month now (see
#602699[1]). However the above line seems to have some serious, unwanted
side-effects:

If you normally use sudo, you're asked to re-authenticate yourself,
typically via password:

	$ sudo -u root id
	[sudo] password for alexander: 
	uid=0(root) gid=0(root) groups=0(root)

But if you only want to change the GID, sudo DOES NOT ask for a
password, even not if you explicitly reset the time stamp:

	$ sudo -g staff id
	uid=1000(alexander) gid=50(staff) groups=1000(alexander),27(sudo),112(fuse)
	$ sudo -k
	$ sudo -g staff id
	uid=1000(alexander) gid=50(staff) groups=1000(alexander),27(sudo),112(fuse)

IMHO this is a security issue[2], since it allows privilege escalation
without asking for a password. Either this bug should be fixed[3] or
sudo should stop asking for a password completely. The current behavior
is inconsistent and violates the principle of least surprise.

Best regards

Alexander Kurtz

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602699
[2] I chose "Severity: important" because the problem only occurs when 
    you are a member of the sudo group. Please feel free to raise the
    severity if you think it is necessary.
[3] Please note that simply reverting the fix for #602699 is NOT a 
    solution!

[signature.asc (application/pgp-signature, inline)]

Message #12 received at 609641-close@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: 609641-close@bugs.debian.org

Subject: Bug#609641: fixed in sudo 1.7.4p4-6

Date: Tue, 11 Jan 2011 19:32:11 +0000

Source: sudo
Source-Version: 1.7.4p4-6

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo-ldap_1.7.4p4-6_i386.deb
  to main/s/sudo/sudo-ldap_1.7.4p4-6_i386.deb
sudo_1.7.4p4-6.debian.tar.gz
  to main/s/sudo/sudo_1.7.4p4-6.debian.tar.gz
sudo_1.7.4p4-6.dsc
  to main/s/sudo/sudo_1.7.4p4-6.dsc
sudo_1.7.4p4-6_i386.deb
  to main/s/sudo/sudo_1.7.4p4-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 609641@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 11 Jan 2011 10:22:39 -0700
Source: sudo
Binary: sudo sudo-ldap
Architecture: source i386
Version: 1.7.4p4-6
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 609641
Changes: 
 sudo (1.7.4p4-6) unstable; urgency=low
 .
   * update /etc/sudoers.d/README now that sudoers is a conffile
   * patch from upstream to fix special case in password checking code
     when only the gid is changing, closes: #609641
Checksums-Sha1: 
 e4b3dccb7f66cedf66321d09d1fb60ca59799758 1755 sudo_1.7.4p4-6.dsc
 8d9cff92481a55ab40749059ae52bc2cf102fe74 23122 sudo_1.7.4p4-6.debian.tar.gz
 4a8feb9d05db1ca0f59edc68f65ea7f43bfda611 400338 sudo_1.7.4p4-6_i386.deb
 6e5f252abfe9beb5934e3265e24cad2d83d1f96a 425406 sudo-ldap_1.7.4p4-6_i386.deb
Checksums-Sha256: 
 58ab43052f94e112b5e0b55e4e8002e3fa5e7868fccadbf2fbd8b456c04608d9 1755 sudo_1.7.4p4-6.dsc
 6d2851bbf28668e43c8965388ab42f416edf97b97f2b0005c44870aa9c45f5d4 23122 sudo_1.7.4p4-6.debian.tar.gz
 043d633e7df847bdaa81890889aa88a8624406db8a641fdfdcbeb00595569dcf 400338 sudo_1.7.4p4-6_i386.deb
 2a56675a491aaf34d37b813109a9ca552ed88e7c04a63e6e98df58b0e14de05d 425406 sudo-ldap_1.7.4p4-6_i386.deb
Files: 
 68470fb48bc0798e1249d8decaca6a7b 1755 admin optional sudo_1.7.4p4-6.dsc
 b9ef6fd0ba3e6d7d772ac0a43349973e 23122 admin optional sudo_1.7.4p4-6.debian.tar.gz
 55c87c56b4a30029919f034c971ee3f2 400338 admin optional sudo_1.7.4p4-6_i386.deb
 575e247dcb9f5665bb0e8a81e1642c9d 425406 admin optional sudo-ldap_1.7.4p4-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIVAwUBTSysLjqTYZbAldlBAQo1RA//Xn49Kt6uO7pfpGy8iUs7slIBSrHPLnbd
/aVQf59U4ymySj+i1zB11gGhcJOS17rSubRzMKxJcqDcHyPB7eQQpNY2u7y8xWco
+zQgW/Hv6bul71t8xUGPDICjiaw+7NKQ2J4eox9xYn6j0amWg1XFbT9akjkTIto1
UVWAfIw79nMAU9cZXJ86iJ1ILq7geKYxhA/nKbs9+C818ZA8B7KWzrrh0EUmHq5v
fGBCVG1ZbcWKooEy5sn1xOY3+TKubhhXF1PETV4wMy7Cax43ZUDM28cYqvOMJYwU
2LkykVuJceQCbaXxPgsaCvS6vxWtlC36VUV+RjQfs+JGWtMlwzuSMVa54tn5rJCN
9x9IYt8bWpNcCijAV0eJYd4OfhThCq7sRxKuEM6R7KZoGdqPiqf6FgaE58b42JKE
T22UN9aJBVS6v8vDuuiVDESNs8QE7hLxyXnxQqgi/2jJXqlth4jWpOq+wjcQh/Y7
v0me+vP9rPcNHgF2IKo+8GR+NRAiaa537+7C9bpsTaeoLtnWyqtuypuW/xZT+Fyj
akM2O6dOMAmBVPlvyjcnwMiIKopslIsz0t34F9E3KCIKu0kI4e46oofkpUS3ewRZ
dmSajD0eJpsCz8erjWVuHv3w96/GrWsdYHxq701KaAzRDxk6+hGWuAez4YE/a5PX
8lx0DI4TyRE=
=kbat
-----END PGP SIGNATURE-----

Message #17 received at 609641@bugs.debian.org (full text, mbox, reply):

From: Alexander Kurtz <kurtz.alex@googlemail.com>

To: pooya moradi <ibtkm2009@gmail.com>

Cc: 609641@bugs.debian.org

Subject: Re: does your reported bug seem dangerous?

Date: Mon, 17 Jan 2011 14:26:30 +0100

[Message part 1 (text/plain, inline)]

Am Montag, den 17.01.2011, 16:03 +0330 schrieb pooya moradi:
> hi.
> i saw your reported bug in sudo.
> i think it's not dangerous. what's your idea?
> why is it dangerous?
> 
> tnx

I didn't say that this bug is dangerous. If it would be dangerous, I
would have marked it as 'critical'.

I think it's a security issue. sudo should ask for a password, but it
does not. This makes this bug security-relevant IMHO.

Best regards

Alexander Kurtz

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 609641@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: 609641@bugs.debian.org

Cc: team@security.debian.org

Subject: Sudo gid security issue

Date: Tue, 18 Jan 2011 09:20:21 +0100

Hi Bdale,

I see that the security issue in #609641 / CVE-2011-0010 is fixed in sid
but not in squeeze (lenny not affected). Would you be able to provide an
update via testing-proposed-updates for this? Let me know if you need
someone from the security team to do it.


Cheers,
Thijs

Message #27 received at 609641@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: Thijs Kinkhorst <thijs@debian.org>, 609641@bugs.debian.org, 609839@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#609641: Sudo gid security issue

Date: Tue, 18 Jan 2011 02:52:21 -0700

[Message part 1 (text/plain, inline)]

On Tue, 18 Jan 2011 09:20:21 +0100, "Thijs Kinkhorst" <thijs@debian.org> wrote:
> I see that the security issue in #609641 / CVE-2011-0010 is fixed in sid
> but not in squeeze (lenny not affected). Would you be able to provide an
> update via testing-proposed-updates for this? Let me know if you need
> someone from the security team to do it.

There is already a pending unblock request to allow 1.7.4p4-6 to enter
testing, #609839, which would I think be the best solution.

Bdale

[Message part 2 (application/pgp-signature, inline)]

Message #32 received at 609641@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: Bdale Garbee <bdale@gag.com>

Cc: 609641@bugs.debian.org, 609839@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#609641: Sudo gid security issue

Date: Tue, 18 Jan 2011 18:44:19 +0100

[Message part 1 (text/plain, inline)]

On Tuesday 18 January 2011 10:52:21 Bdale Garbee wrote:
> On Tue, 18 Jan 2011 09:20:21 +0100, "Thijs Kinkhorst" <thijs@debian.org> 
wrote:
> > I see that the security issue in #609641 / CVE-2011-0010 is fixed in sid
> > but not in squeeze (lenny not affected). Would you be able to provide an
> > update via testing-proposed-updates for this? Let me know if you need
> > someone from the security team to do it.
> 
> There is already a pending unblock request to allow 1.7.4p4-6 to enter
> testing, #609839, which would I think be the best solution.

Thanks. Today however the release team responded that they think such unblock 
is not acceptable and a testing-proposed-update is necessary. Are you able to 
work on this?


Thijs

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 609641@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: Thijs Kinkhorst <thijs@debian.org>, 609641@bugs.debian.org

Cc: 609641@bugs.debian.org, 609839@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#609641: Sudo gid security issue

Date: Tue, 18 Jan 2011 12:00:45 -0700

[Message part 1 (text/plain, inline)]

On Tue, 18 Jan 2011 18:44:19 +0100, Thijs Kinkhorst <thijs@debian.org> wrote:
> On Tuesday 18 January 2011 10:52:21 Bdale Garbee wrote:
> > On Tue, 18 Jan 2011 09:20:21 +0100, "Thijs Kinkhorst" <thijs@debian.org> 
> wrote:
> > > I see that the security issue in #609641 / CVE-2011-0010 is fixed in sid
> > > but not in squeeze (lenny not affected). Would you be able to provide an
> > > update via testing-proposed-updates for this? Let me know if you need
> > > someone from the security team to do it.
> > 
> > There is already a pending unblock request to allow 1.7.4p4-6 to enter
> > testing, #609839, which would I think be the best solution.
> 
> Thanks. Today however the release team responded that they think such unblock 
> is not acceptable and a testing-proposed-update is necessary. Are you able to 
> work on this?

Sigh.  That means more work, a code branch that will have less testing,
and a lower quality sudo package in squeeze than doing the simple thing.

I don't have time to work on this today, but I'll try to get to it soon.

Bdale

[Message part 2 (application/pgp-signature, inline)]

Message #42 received at 609641@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Bdale Garbee <bdale@gag.com>

Cc: Thijs Kinkhorst <thijs@debian.org>, 609641@bugs.debian.org, 609839@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#609641: Sudo gid security issue

Date: Tue, 25 Jan 2011 21:25:29 +0100

On Tue, Jan 18, 2011 at 12:00:45PM -0700, Bdale Garbee wrote:
> On Tue, 18 Jan 2011 18:44:19 +0100, Thijs Kinkhorst <thijs@debian.org> wrote:
> > On Tuesday 18 January 2011 10:52:21 Bdale Garbee wrote:
> > > On Tue, 18 Jan 2011 09:20:21 +0100, "Thijs Kinkhorst" <thijs@debian.org> 
> > wrote:
> > > > I see that the security issue in #609641 / CVE-2011-0010 is fixed in sid
> > > > but not in squeeze (lenny not affected). Would you be able to provide an
> > > > update via testing-proposed-updates for this? Let me know if you need
> > > > someone from the security team to do it.
> > > 
> > > There is already a pending unblock request to allow 1.7.4p4-6 to enter
> > > testing, #609839, which would I think be the best solution.
> > 
> > Thanks. Today however the release team responded that they think such unblock 
> > is not acceptable and a testing-proposed-update is necessary. Are you able to 
> > work on this?
> 
> Sigh.  That means more work, a code branch that will have less testing,
> and a lower quality sudo package in squeeze than doing the simple thing.
> 
> I don't have time to work on this today, but I'll try to get to it soon.

What's the status?

Cheers,
        Moritz

Message #53 received at 609641@bugs.debian.org (full text, mbox, reply):

From: Alexander Kurtz <kurtz.alex@googlemail.com>

To: 609641@bugs.debian.org

Subject: Re: Bug#609641: Sudo gid security issue

Date: Sat, 25 Jun 2011 15:01:44 +0200

[Message part 1 (text/plain, inline)]

unarchive 609641
fixed 609641 1.7.4p4-2.squeeze.1

On Tue, 2011-01-25 at 21:25 +0100, Moritz Mühlenhoff wrote:
> What's the status?

This has been fixed in squeeze:

http://packages.qa.debian.org/s/sudo/news/20110126T212727Z.html

Best regards

Alexander Kurtz

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.