6736396 2001-07-11 13:41 -0400 /159 rader/ EnGarde Secure Linux <security@guardiandigital.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-12 02:19 av Brevbäraren
Extern mottagare: engarde-security@guardiandigital.com
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17927>
Ärende: [ESA-20010711-02] sudo elevated privileges vulnerability
------------------------------------------------------------
From: EnGarde Secure Linux <security@guardiandigital.com>
To: engarde-security@guardiandigital.com, bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.10.10107111340460.23897-100000@mastermind.inside.guardiandigital.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory July 11, 2001 |
| http://www.engardelinux.org/ ESA-20010711-02 |
| |
| Package: sudo |
| Summary: Users in the 'admin' group can gain elevated privileges. |
+------------------------------------------------------------------------+
EnGarde Secure Linux is a secure distribution of Linux that
features improved access control, host and network intrusion
detection, Web based secure remote management, complete e-commerce
using AllCommerce, and integrated open source security tools.
OVERVIEW
- --------
The configuration file for the sudo package which shipped with EnGarde
Secure Linux 1.0.1 can allow users in the 'admin' group to gain elevated
privileges by leveraging certain commands.
DETAIL
- ------
Ralf Hemmann has, via the engarde-users mailing list, brought a security
issue with our default /etc/sudoers file to our attention.
In EnGarde Secure Linux, users in the 'admin' group have more
privileges then a normal user. They are allowed to execute more
commands (such as su(1)) and are allowed to read certain
configuration files that non-admin users are not allowed to.
One of these commands is the sudo command, which allows a normal
user to execute a command with elevated privileges. By default,
any user in the 'admin' group can run several commands as defined
in the /etc/sudoers file.
However, some of these commands can lead to a total root shell since
they are running with root privileges.
We do not deem this a major security issue as users listed in the
'admin' group are normally trusted users. However "trusted" does
not mean you want them to have full-blown root access, so we are
issuing this advisory. Environments where untrusted users may be a
member of the 'admin' group should implement the countermeasures
outlined in this advisory to eliminate the threat of a user gaining
root privileges without their knowledge.
SOLUTION
- --------
We are not issuing updated packages to fix this problem, as the
/etc/sudoers file is a configuration file which would not be replaced
by an updated package.
Solution 1: No Action at All
-----------------------------
No action needs to be taken if you:
a) trust all of the users in your 'admin' group; and
b) understand the security implications of allowing them to run
commands that can lead to them having elevated privileges.
If both these are true, then no action is required.
Solution 2: Remove the sudo Package
------------------------------------
If you do not use sudo, and do not think you ever will, then it is
safe to remove the sudo package completely.
Before removing the package, the machine must either:
a) be booted into a "standard" kernel; or
b) have LIDS disabled.
To disable LIDS, execute the command:
# /sbin/lidsadm -S -- -LIDS
To remove sudo, execute the command:
# rpm -e sudo
To reload the LIDS configuration, execute the command:
# /usr/sbin/config_lids.pl
To re-enable LIDS (if it was disabled), execute the command:
# /sbin/lidsadm -S -- +LIDS
The sudo package is now removed, and the issue is closed.
Solution 3: Remove the 'admin' Group Privileges
------------------------------------------------
This solution to the problem uses the visudo(8) command to edit the
/etc/sudoers file. Please note that you will be brought in to vi(1)
by default. If you are not comfortable using vi then we recommend
you change your EDITOR environment variable to pico(1) by typing:
# export EDITOR=pico
To remove admin privileges completely, execute the command:
# visudo
Now comment out or remove the line "%admin ALL=ADMINCMDS,
NETCMDS" from the user privilege specification. This line should
be the last line in the file. The changes will take effect when
you exit the editor, saving your changes.
UPDATED PACKAGES
- ----------------
There are no updated packages at this time.
REFERENCES
- ----------
Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY
Credit for the discovery of this bug goes to:
Ralf Hemmann <ralf@convergence.de>
sudo's Official Web Site:
http://www.courtesan.com/sudo/
Security Contact: security@guardiandigital.com
EnGarde Advisories: http://www.engardelinux.org/advisories.html
- --------------------------------------------------------------------------
$Id: ESA-20010711-02-sudo,v 1.5 2001/07/11 16:56:28 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com>
Copyright 2001, Guardian Digital, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7TI+3HD5cqd57fu0RAuWzAJ4yLpK/w9c2brddafxVScRAFyFFugCcDcxr
adpkjUmqTvdF70Dl5HK7DyM=
=UFxX
-----END PGP SIGNATURE-----
(6736396) /EnGarde Secure Linux <security@guardiandigital.com>/(Ombruten)