Security Issue with Sudo and Postfix

A security issue has been found by Sebastian Krahmer of the SuSE Security Team in Sudo versions 1.6.0 - 1.6.3p7. When the Postfix sendmail replacement is installed on a machine an attacker may be able to gain root privileges by way of Sudo.

1.6.0 - 1.6.3p7 (inclusive)

Starting with version 1.6.0 Sudo sends mail to the administrator as root to prevent the invoking user from killing the mail process and thus avoiding logging (in previous versions of Sudo the mail was sent as the invoking user).

The security problem occurs because the environment that the “sendmail” program is run with comes from the user (with some potentially dangerous variables removed). It is thus possible for an attacker to influence the mail program via environment variables. This is compounded by the fact that since Sudo runs the mail program with both real and effective uids set to 0 (root) the mailer cannot tell that it has been called from a setuid process and thus treat the environment with suspicion.

Currently, the only sendmail replacement known to be affected is Postfix but others may be as well. I did a quick check of the current version of Sendmail and it does not appear to trust the environment in any significant manner so it is probably safe. However, to be on the safe side I recommend that people upgrade to Sudo 1.6.4 or higher which runs the mail program with a clean environment. Admins wishing to run the mailer as the invoking user and not as root should use the --disable-root-mailer configure option in Sudo 1.6.5.

If you use Postfix but do not wish to update sudo, you may edit the Postfix misc.cf configuration file and change the “import_environment” specification to only include TZ. E.g.

import_environment = TZ