[sudo-users] Re: sudo-announce Digest, Vol 13, Issue 2
Punitha
punitha at visolve.com
Fri Jun 24 00:14:48 EDT 2005
Hello All,
I could not understand the problem behind this. Can any of you please
explain me in detail with examples.
Thanks in advance.
Regards,
Punitha, V.
----- Original Message -----
From: <sudo-announce-request at courtesan.com>
To: <sudo-announce at sudo.ws>
Sent: Monday, June 20, 2005 11:30 PM
Subject: sudo-announce Digest, Vol 13, Issue 2
> Send sudo-announce mailing list submissions to
> sudo-announce at sudo.ws
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://www.sudo.ws/mailman/listinfo/sudo-announce
> or, via email, send a message with subject or body 'help' to
> sudo-announce-request at sudo.ws
>
> You can reach the person managing the list at
> sudo-announce-owner at sudo.ws
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of sudo-announce digest..."
>
>
> Today's Topics:
>
> 1. Sudo version 1.6.8p9 now available, fixes security issue.
> (Todd C. Miller)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 20 Jun 2005 08:10:05 -0600
> From: "Todd C. Miller" <Todd.Miller at courtesan.com>
> Subject: [sudo-announce] Sudo version 1.6.8p9 now available, fixes
> security issue.
> To: sudo-announce at sudo.ws
> Message-ID: <200506201410.j5KEA5UL000574 at xerxes.courtesan.com>
>
> Sudo version 1.6.8, patchlevel 9 is now available, which fixes a
> race condition in Sudo's pathname validation. This is a security
> issue.
>
> Summary:
> A race condition in Sudo's command pathname handling prior to
> Sudo version 1.6.8p9 that could allow a user with Sudo privileges
> to run arbitrary commands.
>
> Sudo versions affected:
> Sudo versions 1.3.1 up to and including 1.6.8p8.
>
> Details:
> When a user runs a command via Sudo, the inode and device numbers
> of the command are compared to those of commands with the same
> basename found in the sudoers file (see the Background paragraph
> for more information). When a match is found, the path to the
> matching command listed in the sudoers file is stored in the
> variable safe_cmnd, which is later used to execute the command.
> Because the actual path executed comes from the sudoers file
> and not directly from the user, Sudo should be safe from race
> conditions involving symbolic links. However, if a sudoers
> entry containing the pseudo-command ALL follows the user's
> sudoers entry the contents of safe_cmnd will be overwritten
> with the path the user specified on the command line, making
> Sudo vulnerable to the aforementioned race condition.
>
> Impact:
> Exploitation of the bug requires that the user be allowed to
> run one or more commands via Sudo and be able to create symbolic
> links in the filesystem. Furthermore, a sudoers entry giving
> another user access to the ALL pseudo-command must follow the
> user's sudoers entry for the race to exist.
>
> For example, the following sudoers file is not affected by the
> bug:
>
> root server=ALL
> someuser server=/bin/echo
>
> Whereas this one would be:
>
> someuser server=/bin/echo
> root server=ALL
>
> Fix:
> The bug is fixed in sudo 1.6.8p9.
>
> Workaround:
> The administrator can order the sudoers file such that all
> entries granting Sudo ALL privileges precede all other entries.
>
> Credit:
> This problem was brought to my attention by Charles Morris.
>
> Background:
> The reason Sudo uses the inode for command matching is to make
> relative paths work and to avoid problems caused by automounters
> where the path to be executed is not the same as the absolute
> path to the command.
>
> Another possible approach is to use the realpath() function to
> find the true path. Sudo does not user realpath() because that
> function is not present in all operating systems and is often
> vulnerable to race conditions where it does exist.
>
> The next major Sudo release will be version 1.7. For information
> on what to expect in sudo 1.7, see http://www.sudo.ws/sudo/future.html
> You can help speed the release of Sudo 1.7 by purchasing a support
> contract or making a donation (see below).
>
> Commercial support is available for Sudo. If your organization
> uses Sudo, please consider purchasing a support contract to help
> fund future Sudo development at http://www.sudo.ws/support.html
> Custom enhancements to Sudo may also be contracted.
>
> You can also help out by making a donation or "purchase" a copy
> of Sudo at http://www.sudo.ws/purchase.html
>
> Master Web Site:
> http://www.sudo.ws/sudo/
>
> Web Site Mirrors:
> http://www.mirrormonster.com/sudo/ (Fremont, California, USA)
> http://sudo.stikman.com/ (Los Angeles, California, USA)
> http://sudo.tolix.org/ (California, USA)
> http://mirage.informationwave.net/sudo/ (Fanwood, New Jersey, USA)
> http://www.mrv2k.net/sudo/ (Bend, Oregon, USA)
> http://sudo.rtin.bz/ (Philadelphia, Pennsylvania, USA)
> http://www.signal42.com/mirrors/sudo_www/ (USA)
> http://sudo.xmundo.net/ (Argentina)
> http://sudo.planetmirror.com/ (Australia)
> http://mirror.mons-new-media.de/sudo/ (Germany)
> http://sunshine.lv/sudo/ (Latvia)
> http://rexem.uni.cc/sudo/ (Kaunas, Lithuania)
> http://sudo.cdu.elektra.ru/ (Russia)
> http://sudo.nctu.edu.tw/ (Taiwan)
>
> FTP Mirrors:
> ftp://plier.ucar.edu/pub/sudo/ (Boulder, Colorado, USA)
> ftp://ftp.cs.colorado.edu/pub/sudo/ (Boulder, Colorado, USA)
> ftp://obsd.isc.org/pub/sudo/ (Redwood City, California, USA)
> ftp://ftp.stikman.com/pub/sudo/ (Los Angeles, California, USA)
> ftp://ftp.tux.org/pub/security/sudo/ (Beltsville, Maryland, USA)
> ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West
> Lafayette, Indiana, USA)
> ftp://ftp.uwsg.indiana.edu/pub/security/sudo/ (Bloomington, Indiana,
> USA)
> ftp://ftp.rge.com/pub/admin/sudo/ (Rochester, New York, USA)
> ftp://mirror.sg.depaul.edu/pub/security/sudo/ (Chicago, Illinois, USA)
> ftp://sudo.xmundo.net/pub/mirrors/sudo/ (Argentina)
> ftp://ftp.wiretapped.net/pub/security/host-security/sudo/ (Australia)
> ftp://ftp.tuwien.ac.at/utils/admin-tools/sudo/ (Austria)
> ftp://sunsite.ualberta.ca/pub/Mirror/sudo/ (Alberta, Canada)
> ftp://ftp.csc.cuhk.edu.hk/pub/packages/unix-tools/sudo/ (Hong Kong,
> China)
> ftp://ftp.eunet.cz/pub/security/sudo/ (Czechoslovakia)
> ftp://ftp.ujf-grenoble.fr/sudo/ (France)
> ftp://netmirror.org/ftp.sudo.ws/ (Frankfurt, Germany)
> ftp://ftp.win.ne.jp/pub/misc/sudo/ (Japan)
> ftp://ftp.st.ryukoku.ac.jp/pub/security/tool/sudo/ (Japan)
> ftp://ftp.cin.nihon-u.ac.jp/pub/misc/sudo/ (Japan)
> ftp://core.ring.gr.jp/pub/misc/sudo/ (Japan)
> ftp://ftp.ring.gr.jp/pub/misc/sudo/ (Japan)
> ftp://ftp.tpnet.pl/d6/ftp.sudo.ws/ (Poland)
> ftp://ftp.cdu.elektra.ru/pub/unix/security/sudo/ (Russia)
> ftp://ftp.nsysu.edu.tw/Unix/Security/Sudo/ (Taiwan)
>
> HTTP Mirrors:
> http://www.mirrormonster.com/sudo/dist/ (Fremont, California, USA)
> http://sudo.tolix.org/ftp/ (California, USA)
> http://sudo.mirror99.com/ (San Jose, California, USA)
> http://www.signal42.com/mirrors/sudo_ftp/ (California, USA)
> http://www.rge.com/pub/admin/sudo/ (Rochester, New York, USA)
> http://probsd.org/sudoftp/ (East Coast, USA)
> http://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/sudo/ (West
> Lafayette, Indiana, USA)
> http://www.signal42.com/mirrors/sudo_ftp/ (California, USA)
> http://netmirror.org/mirror/ftp.sudo.ws/ (Frankfurt, Germany)
> http://mirror.mons-new-media.de/sudo_ftp/ (Frankfurt, Germany)
> http://core.ring.gr.jp/archives/misc/sudo/ (Japan)
> http://www.ring.gr.jp/archives/misc/sudo/ (Japan)
> http://ftp.tpnet.pl/vol/d6/ftp.sudo.ws/ (Poland)
> http://sudo.tsuren.net/dist/ (Moscow, Russian Federation)
> http://ftp.nsysu.edu.tw/Unix/Security/Sudo/ (Taiwan)
>
>
> ------------------------------
>
> ____________________________________________________________
> sudo-announce mailing list <sudo-announce at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-announce
>
> End of sudo-announce Digest, Vol 13, Issue 2
> ********************************************
>
More information about the sudo-users
mailing list