From Todd.Miller at courtesan.com Wed Jun 2 15:36:17 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 02 Jun 2010 15:36:17 -0400 Subject: [sudo-announce] Secure path feature may be circumvented Message-ID: <201006021936.o52JaHXe027550@core.courtesan.com> Sudo versions 1.7.2p7 and 1.6.9p23 are now available. These releases fix a flaw that may allow an attacker to bypass the "secure path" feature if it is enabled. Summary: Sudo "secure path" feature works by replacing the PATH environment variable with a value specified in the sudoers file, or at compile time if the --with-secure-path configure option is used. The flaw is that sudo only replaces the first instance of PATH in the environment. If the program being run through sudo uses the last instance of PATH in the environment, an attacker may be able to avoid the "secure path" restrictions. Sudo versions affected: Sudo 1.3.1 through 1.6.9p22 and Sudo 1.7.0 through 1.7.2p6. Download links: http://www.sudo.ws/sudo/dist/sudo-1.7.2p7.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.7.2p7.tar.gz http://www.sudo.ws/sudo/dist/sudo-1.6.9p23.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.6.9p23.tar.gz Details: Most versions of the C library function getenv() return the first instance of an environment variable to the caller. However, some programs, notably the GNU Bourne Again SHell (bash), do their own environment parsing and may choose the last instance of a variable rather than the first one. An attacker may manipulate the environment of the process that executes Sudo such that a second PATH variable is present. When Sudo runs a bash script, it is this second PATH variable that is used by bash, regardless of whether or not Sudo has overwritten the first instance of PATH. This may allow an attacker to subvert the program being run under Sudo and execute commands he/she would not otherwise be allowed to run. Impact: Exploitation of the bug requires that Sudo be configured with the "secure path" option enabled, either at build-time (via configure) or at run-time (via sudoers). It also requires that the user be granted permission to run a command that does its own environment handling, such as a bash script, and that this command does not set PATH itself. If the "secure path" feature is not in use there is no impact. Credit: Evan Broder and Anders Kaseorg of Ksplice, Inc. See Also: http://www.sudo.ws/sudo/alerts/secure_path.html From Todd.Miller at courtesan.com Wed Jun 30 09:42:15 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 30 Jun 2010 09:42:15 -0400 Subject: [sudo-announce] sudo 1.7.2p8 released Message-ID: <201006301342.o5UDgFdN005641@core.courtesan.com> Sudo version 1.7.2p8 is now available. This is a maintenance release. Download links: http://www.sudo.ws/sudo/dist/sudo-1.7.2p8.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.7.2p8.tar.gz For a list of download mirror sites, see: http://www.sudo.ws/sudo/download.html Sudo web site: http://www.sudo.ws/sudo/ Sudo web site mirrors: http://www.sudo.ws/sudo/mirrors.html Major changes between sudo 1.7.2p7 and 1.7.2p8: * Fixed a crash on AIX when LDAP support is in use. * Fixed problems with the QAS non-Unix group support From Todd.Miller at courtesan.com Wed Jun 30 09:47:00 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 30 Jun 2010 09:47:00 -0400 Subject: [sudo-announce] sudo 1.7.3 released Message-ID: <201006301347.o5UDl0Zl018556@core.courtesan.com> Sudo version 1.7.3 is now available. This version adds support for logging a command's input and output. A new utility, sudoreplay, is provided to play back sessions. Download links: http://www.sudo.ws/sudo/dist/sudo-1.7.3.tar.gz ftp://ftp.sudo.ws/pub/sudo/sudo-1.7.3.tar.gz For a list of download mirror sites, see: http://www.sudo.ws/sudo/download.html Sudo web site: http://www.sudo.ws/sudo/ Sudo web site mirrors: http://www.sudo.ws/sudo/mirrors.html Major changes between sudo 1.7.2p8 and 1.7.3: * Support for logging I/O for the command being run. For more information, see the documentation for the "log_input" and "log_output" Defaults options in the sudoers manual. Also see the sudoreplay manual for how to replay I/O log sessions. * The use_pty sudoers option can be used to force a command to be run in a pseudo-pty, even when I/O logging is not enabled. * On some systems, sudo can now detect when a user has logged out and back in again when tty-based time stamps are in use. Supported systems include Solaris systems with the devices file system, Mac OS X, and Linux systems with the devpts filesystem (pseudo-ttys only). * On AIX systems, the registry setting in /etc/security/user is now taken into account when looking up users and groups. Sudo now applies the correct the user and group ids when running a command as a user whose account details come from a different source (e.g. LDAP or DCE vs. local files). * Support for multiple 'sudoers_base' and 'uri' entries in ldap.conf. When multiple entries are listed, sudo will try each one in the order in which they are specified. * Sudo's SELinux support should now function correctly when running commands as a non-root user and when one of stdin, stdout or stderr is not a terminal. * Sudo will now use the Linux audit system with configure with the --with-linux-audit flag. * Sudo now uses mbr_check_membership() on systems that support it to determine group membership. Currently, only Darwin (Mac OS X) supports this. * When the tty_tickets sudoers option is enabled but there is no terminal device, sudo will no longer use or create a tty-based ticket file. Previously, sudo would use a tty name of "unknown". As a consequence, if a user has no terminal device, sudo will now always prompt for a password. * The passwd_timeout and timestamp_timeout options may now be specified as floating point numbers for more granular timeout values. * Negating the fqdn option in sudoers now works correctly when sudo is configured with the --with-fqdn option. In previous versions of sudo the fqdn was set before sudoers was parsed.