Vulnerabilities in sudo closed

Several Linux distributors have released updated sudo packages to fix two vulnerabilities that allow users with limited access rights to escalate their privileges. The sudo (super user do) command is intended to allow users to execute certain commands at another user's privilege level - usually root. The contents of the /etc/sudoers file determines whether or not a user is authorised to execute a command at a higher privilege level (by preceding the command with sudo) without further authentication. This allows administrators to give other users the rights required to handle certain management tasks without giving them overall root access.

The tasks can, for instance, include managing a file; for this purpose, sudo offers added functions called pseudo commands such as sudoedit for file editing. However, this function can reportedly be exploited by attackers to execute an identically named file in the home directory (and other directories) of the user who has root access – and this file can, in turn, contain arbitrary commands.

Further implementation flaws are contained in the runas_default option, which potentially also grants root access. Administrators can set the user context for command execution to that of another user rather than root in /etc/suoders. This is intended to save users having to add the (sudo) -u username option to their command. However, the programming flaw causes sudo to set the group privileges not for the stated user, but to root instead.

The flaw is inconsequential in standard installations because runas_default isn't usually enabled there. The official version of sudo is also unaffected. The updated version, 1.7.2p4, fixes the flaw in sudoedit. The stable version has since been updated to version 1.7.2p5(direct download) to fix two other bugs.

(djwm)