[sudo-users] /bin/bash in sudoers allows root access to a user????
Todd C. Miller
Todd.Miller at sudo.ws
Fri Jun 7 06:36:40 MDT 2019
On Thu, 06 Jun 2019 20:15:27 -0000, "Martin, Denis (Consultant)" wrote:
> I came across a strange behavior of sudo.
>
> We have created an account for Rapis7 Nexpose software to allow it to
> scan our machines for vulnerabilities as well as CIS security.
>
> The software needs to have access to multiple commands with root
> privileges. To do so, we have added the commands to our sudoers file.
> While doing some trouble shooting for another thing I issued "sudo -i"
> using that account instead of mine and got stunned when I got access to
> the root account!
>
> All our other sudo users don't have access to root by issuing "sudo
> -i". I looked in the sudoers file to find what was specific to that
> user and found that the command "/bin/bash" is THE ONE giving root
> access to that user as well as to the other users that are part of the
> same group. I confirmed this by removing that command from the sudoers
> file and notice that root access is no longer granted to that user.
>
> Why is including "/bin/bash" in the sudoers file allows root access
> with "sudo -i"???
>
> "/bin/sh" and "/bin/ksh" don't allow it...
To run "sudo -i", a use just needs permission to run the target
user's shell. In this case, the target user is root and their shell
is /bin/bash. Since the user running sudo has permission to run
bash, they can run "sudo -i".
In other words, because sudoers allows the user to run /bin/bash
and since root's shell is /bin/bash, the user is allowed to run
"sudo -i". This isn't really much different from the user running
"bash -l" directly.
- todd
More information about the sudo-users
mailing list