Date: Wed, 11 Jul 2001 13:41:01 -0400 (EDT)
From: EnGarde Secure Linux <[email protected]>
To: [email protected], [email protected]Subject: [ESA-20010711-02] sudo elevated privileges vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory July 11, 2001 |
| http://www.engardelinux.org/ ESA-20010711-02 |
| |
| Package: sudo |
| Summary: Users in the 'admin' group can gain elevated privileges. |
+------------------------------------------------------------------------+
EnGarde Secure Linux is a secure distribution of Linux that features
improved access control, host and network intrusion detection, Web
based secure remote management, complete e-commerce using AllCommerce,
and integrated open source security tools.
OVERVIEW
- --------
The configuration file for the sudo package which shipped with EnGarde
Secure Linux 1.0.1 can allow users in the 'admin' group to gain elevated
privileges by leveraging certain commands.
DETAIL
- ------
Ralf Hemmann has, via the engarde-users mailing list, brought a security
issue with our default /etc/sudoers file to our attention.
In EnGarde Secure Linux, users in the 'admin' group have more privileges
then a normal user. They are allowed to execute more commands (such as
su(1)) and are allowed to read certain configuration files that non-admin
users are not allowed to.
One of these commands is the sudo command, which allows a normal user to
execute a command with elevated privileges. By default, any user in the
'admin' group can run several commands as defined in the /etc/sudoers
file.
However, some of these commands can lead to a total root shell since
they are running with root privileges.
We do not deem this a major security issue as users listed in the 'admin'
group are normally trusted users. However "trusted" does not mean you
want them to have full-blown root access, so we are issuing this
advisory. Environments where untrusted users may be a member of the
'admin' group should implement the countermeasures outlined in this
advisory to eliminate the threat of a user gaining root privileges
without their knowledge.
SOLUTION
- --------
We are not issuing updated packages to fix this problem, as the
/etc/sudoers file is a configuration file which would not be replaced
by an updated package.
Solution 1: No Action at All
-----------------------------
No action needs to be taken if you:
a) trust all of the users in your 'admin' group; and
b) understand the security implications of allowing them to run
commands that can lead to them having elevated privileges.
If both these are true, then no action is required.
Solution 2: Remove the sudo Package
------------------------------------
If you do not use sudo, and do not think you ever will, then it is
safe to remove the sudo package completely.
Before removing the package, the machine must either:
a) be booted into a "standard" kernel; or
b) have LIDS disabled.
To disable LIDS, execute the command:
# /sbin/lidsadm -S -- -LIDS
To remove sudo, execute the command:
# rpm -e sudo
To reload the LIDS configuration, execute the command:
# /usr/sbin/config_lids.pl
To re-enable LIDS (if it was disabled), execute the command:
# /sbin/lidsadm -S -- +LIDS
The sudo package is now removed, and the issue is closed.
Solution 3: Remove the 'admin' Group Privileges
------------------------------------------------
This solution to the problem uses the visudo(8) command to edit the
/etc/sudoers file. Please note that you will be brought in to vi(1)
by default. If you are not comfortable using vi then we recommend
you change your EDITOR environment variable to pico(1) by typing:
# export EDITOR=pico
To remove admin privileges completely, execute the command:
# visudo
Now comment out or remove the line "%admin ALL=ADMINCMDS, NETCMDS"
from the user privilege specification. This line should be the last
line in the file. The changes will take effect when you exit the
editor, saving your changes.
UPDATED PACKAGES
- ----------------
There are no updated packages at this time.
REFERENCES
- ----------
Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY
Credit for the discovery of this bug goes to:
Ralf Hemmann <[email protected]>
sudo's Official Web Site:
http://www.courtesan.com/sudo/
Security Contact: [email protected]
EnGarde Advisories: http://www.engardelinux.org/advisories.html
- --------------------------------------------------------------------------
$Id: ESA-20010711-02-sudo,v 1.5 2001/07/11 16:56:28 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <[email protected]>
Copyright 2001, Guardian Digital, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7TI+3HD5cqd57fu0RAuWzAJ4yLpK/w9c2brddafxVScRAFyFFugCcDcxr
adpkjUmqTvdF70Dl5HK7DyM=
=UFxX
-----END PGP SIGNATURE-----
