January 29, 2009
A bug was introduced in Sudo's group matching code in version 1.6.9
when support for matching based on the supplemental group vector was
added. This bug may allow certain users listed in the sudoers file
to run a command as a different user than their access rule specifies.
Sudo versions affected:
Sudo versions 1.6.9 up to and including 1.6.9p19.
Sudo version 1.7.0 is not affected.
This vulnerability has been assigned CVE-2009-0034
in the Common Vulnerabilities and
Given a sudoers rule like the following:
bob ALL=(%users) ALL
should only be able to run commands as a user that
is a member of the Unix group users
However, due to the bug, if bob is himself a member of
users, he will actually be able to run a command as
The bug only impacts sudoers
configurations where a Unix group
is used in the RunAs list, which is (%users)
in the example above.
For example, the following sudoers rule is not affected
by the bug:
bob ALL = ALL
The bug is fixed in sudo 1.6.9p20 and sudo 1.7.0.
This problem was brought to my attention by Harald Koenig.
Code was added to sudo version 1.7.0 to cache the user's supplemental
group vector and use it in group matches. When this changed was
back-ported to sudo version 1.6.9, the check to only use the
supplemental groups when matching against the invoking user got