Sudo
GitHub Blog Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
Potential bypass of tty_tickets constraints
When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default). This time stamp file can either be common to all of a user’s terminals, or it can be specific to the particular terminal the user authenticated themselves on. The terminal-specific time stamp file behavior can be controlled using the tty_tickets option in the sudoers file. ...
IP addresses in sudoers with netmask may match additional hosts
A flaw exists in the IP network matching code in sudo versions 1.6.9p3 through 1.8.4p4 that may result in the local host being matched even though it is not actually part of the network described by the IP address and associated netmask listed in the sudoers file or in LDAP. As a result, users authorized to run commands on certain IP networks may be able to run commands on hosts that belong to other networks not explicitly listed in sudoers. ...
Sudo format string vulnerability
A flaw exists in the debugging code in sudo versions 1.8.0 through 1.8.3p1 that can be used to crash sudo or potentially allow an unauthorized user to elevate privileges. Sudo versions affected: 1.8.0 through 1.8.3p1 inclusive. Older versions of sudo are not affected. CVE ID: This vulnerability has been assigned CVE-2012-0809 in the Common Vulnerabilities and Exposures database. Details: Sudo 1.8.0 introduced simple debugging support that was primarily intended for use when developing policy or I/O logging plugins. ...
Flaw in Runas Group password checking
Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo’s -g option (run as group), if allowed by the sudoers file. A flaw exists in sudo’s password checking logic that allows a user to run a command with only the group changed without being prompted for a password. Sudo versions affected: Sudo 1.7.0 through 1.7.4p4. ...
Flaw in Runas group matching
Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo -g option (run as group). A flaw exists in the logic that matches Runas groups in the sudoers file when the -u option is also specified (run as user). This flaw results in a positive match for the user specified via -u so long as the group specified via -g is allowed by the sudoers file. ...
Sudo's secure path option can be circumvented
Sudo “secure path” feature works by replacing the PATH environment variable with a value specified in the sudoers file, or at compile time if the –with-secure-path configure option is used. The flaw is that sudo only replaces the first instance of PATH in the environment. If the program being run through sudo uses the last instance of PATH in the environment, an attacker may be able to avoid the “secure path” restrictions. ...
Additional privilege escalation bug with sudoedit
A flaw exists in sudo’s -e option (aka sudoedit) in sudo versions 1.6.8 through 1.7.2p5 that may give a user with permission to run sudoedit the ability to run arbitrary commands. This bug is related to, but distinct from, CVE-2010-0426. Sudo versions affected: 1.6.8 through 1.7.2p5 inclusive. CVE ID: This vulnerability has been assigned CVE-2010-1163 in the Common Vulnerabilities and Exposures database. Details: When sudo performs its command matching, there is a special case for pseudo-commands in the sudoers file (currently, the only pseudo-command is sudoedit). ...
Privilege escalation bug with sudoedit
A flaw exists in sudo’s -e option (aka sudoedit) in sudo versions 1.6.9 through 1.7.2p3 that may give a user with permission to run sudoedit the ability to run arbitrary commands. Sudo versions affected: 1.6.9 through 1.7.2p3 inclusive. CVE ID: This vulnerability has been assigned CVE-2010-0426 in the Common Vulnerabilities and Exposures database. Details: When sudo performs its command matching, there is a special case for pseudo-commands in the sudoers file (currently, the only pseudo-command is sudoedit). ...
Negation within a Cmnd_Alias not honored
A flaw exists in sudo versions 1.7.0 to 1.7.2p1 that caused the negation operator to have no effect when used in a Cmnd_Alias. Sudo versions affected: 1.7.0 through 1.7.2p1 inclusive. Details: Sudo uses the Cmnd_Alias syntax for named groups of commands the sudoers file. The Cmnd_Alias is expanded when command matching is performed as sudo checks whether a user is allowed to run a particular command. ...
Bug in supplemental group matching
A bug was introduced in Sudo’s group matching code in version 1.6.9 when support for matching based on the supplemental group vector was added. This bug may allow certain users listed in the sudoers file to run a command as a different user than their access rule specifies. Sudo versions affected: Sudo versions 1.6.9 up to and including 1.6.9p19. Sudo version 1.7.0 is not affected. CVE ID: This vulnerability has been assigned CVE-2009-0034 in the Common Vulnerabilities and Exposures database. ...