Flaw in Runas group matching

Release Date:

September 7, 2010


Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo -g option (run as group). A flaw exists in the logic that matches Runas groups in the sudoers file when the -u option is also specified (run as user). This flaw results in a positive match for the user specified via -u so long as the group specified via -g is allowed by the sudoers file.

Sudo versions affected:

Sudo 1.7.0 through 1.7.4p3.


This vulnerability has been assigned CVE-2010-2956 in the Common Vulnerabilities and Exposures database.


It is possible to specify a lists of users and groups that a command may be run as in a sudoers file entry. For example, given the following sudoers entry:
    millert ALL = (lp : operator) /usr/bin/lpq, /usr/bin/lprm, /usr/bin/lpc
user millert may run /usr/bin/lpq, /usr/bin/lprm or /usr/bin/lpc as user lp, group operator or some combination thereof. In this case, the following would all be allowed.
    $ sudo -g operator /usr/bin/lpc
    $ sudo -u lp /usr/bin/lprm
    $ sudo -g operator -u lp /usr/bin/lpq
However, due to a flaw in the matching logic, it is possible for millert to run a listed command as any user so long as an allowed group is also specified. For instance,
    $ sudo -g operator -u root /usr/bin/lpq
would be allowed, even though the user should not have permission to run commands as root.


Exploitation of the flaw requires that Sudo be configured with sudoers entries that contain a Runas group. Entries that do not contain a Runas group, or only contain a Runas user are not affected.

For example, the following entry is affected because it contains both a Runas user and a Runas group:

    millert ALL = (lp : operator) /usr/bin/lpq, /usr/bin/lprm, /usr/bin/lpc
Whereas this one only contains a Runas user and is not affected:
    millert ALL = (lp) /usr/bin/lpq, /usr/bin/lprm, /usr/bin/lpc


The flaw is fixed in sudo 1.7.4p4.


I would like to thank Markus Wuethrich of Swiss Post - PostFinance for reporting this issue via Red Hat.