Sudo Security Alert
Todd C. Miller
Todd.Miller at courtesan.com
Mon Jan 14 21:42:28 EST 2002
A security issue has been found by Sebastian Krahmer of the SuSE
Security Team in Sudo versions 1.6.0 - 1.6.3p7. When the Postfix
sendmail replacement is installed on a machine an attacker may
be able to gain root privileges by way of Sudo.
Sudo versions affected:
1.6.0 - 1.6.3p7 (inclusive)
Starting with version 1.6.0 Sudo sends mail to the administrator
as root to prevent the invoking user from killing the mail process
and thus avoiding logging (in previous versions of Sudo the mail
was sent as the invoking user).
The security problem occurs because the environment that the
"sendmail" program is run with comes from the user (with some
potentially dangerous variables removed). It is thus possible for
an attacker to influence the mail program via environment variables.
This is compounded by the fact that since Sudo runs the mail program
with both real and effective uids set to 0 (root) the mailer cannot
tell that it has been called from a setuid process and thus treat
the environment with suspicion.
Currently, the only sendmail replacement known to be affected is
Postfix but others may be as well. I did a quick check of the
current version of Sendmail and it does not appear to trust the
environment in any significant manner so it is probably safe.
However, to be on the safe side I recommend that people upgrade to
Sudo 1.6.4 or 1.6.4p1 which runs the mail program with a clean
Sudo web site:
More information about the sudo-announce