[sudo-users] sudo v1.7.1 runas group allows runas any user
Blazejewski Marcin-AMB107
marcin.blazejewski at motorola.com
Fri May 8 11:09:44 EDT 2009
Hi all,
I've been playing with runas group functionality, new in 1.7 versions of
sudo.
If I understood the manual correctly, if I put something like this in my
sudoers file:
amb107 ALL=(:ftp) NOPASSWD:/usr/bin/id
... then I should only be allowed to run "id" command as ftp group, but
only as the same amb107 user. From sudoers man:
---
If the first Runas_List is empty but the second is specified, the
command may be run as the invoking user with the group set to any listed
in the Runas_List.
---
However, I was able to run the command as any other user, inluding root:
[amb107 at rhel ~]$ sudo -g ftp id
uid=0(root) gid=50(ftp) groups=13(news),100(users)
[amb107 at rhel ~]$ sudo -u root -g ftp id
uid=0(root) gid=50(ftp)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
This works only if I kept -g ftp switch:
[amb107 at rhel ~]$ sudo -u root id
Password:
Sorry, user amb107 is not allowed to execute '/usr/bin/id' as root on
rhel.aaa2.com.
Is this a bug or am I missing something? How can I restrict uid
escalation?
I'm using RHEL5, i686, sudo v1.7.1, only "--prefix+ option used duing
the build.
Thanks in advance,
Marcin
More information about the sudo-users
mailing list