[ale] RESOLVED Re: security hole? NO

Tim Watts timtw at earthlink.net
Thu Jul 30 09:53:11 EDT 2009 

OK, I don't think there's an issue here.

I tried your command this morning and it failed just fine. But I know it was 
working with any command I could throw at it last night. So I tried the mount 
command again, and guess what? It failed too! So what the heck is going on?

Well, (as some of you probably know) sudo keeps a token for each 
(user,terminal) pair. So when I say 'sudo doSomethingSensitive' on pts/1 the 
file /var/run/sudo/timtw/1 gets touched. And when I say 'sudo -K' it wipes the 
file. Now here's where it gets interesting. When I say 

echo <mypassword> | sudo -S doSomethingSensitive >/dev/null

sudo runs without an associated terminal. So /var/run/sudo/timtw/unknown gets 
touched. And naturally,

echo | sudo -S doSomethingSensitive >/dev/null

simply retouches the file. Also naturally, sudo -K won't kill that file. So 
that's why those commands appeared to be running privileged code "without a 
password". I was just renewing the token from a previously successful sudo.

Sorry for the alarm. Hope it was as educational for others as it was for me!


On Thursday 30 July 2009 6:59:59 am Richard Bronosky wrote:
> Does it only work with mount? Could you try the steps again with sudo
> touch /etc/test
>
> On 7/30/09, Tim Watts <timtw at earthlink.net> wrote:
> > Hi,
> >
> > What's wrong with this picture?
> >
> > -------------------------------------------------
> > timtw at dellberry:~$ sudo -K
> >
> >
> > timtw at dellberry:~$ echo | sudo -S mount /dev/sda5 /mnt >/dev/null
> >
> > timtw at dellberry:~$ echo $?
> > 0
> >
> > timtw at dellberry:~$ mount
> > <...snip...>
> > /dev/sda5 on /mnt type ext3 (rw)
> >
> > timtw at dellberry:~$ sudo umount /mnt
> > [sudo] password for timtw:{i hit ^C here}
> >
> > timtw at dellberry:~$ echo | sudo -S umount /mnt >/dev/null
> >
> > timtw at dellberry:~$ echo $?
> > 0
> >
> > timtw at dellberry:~$ mount
> > /dev/sda5 on / type ext3 (rw,relatime,errors=remount-ro)
> > tmpfs on /lib/init/rw type tmpfs (rw,nosuid,mode=0755)
> > /proc on /proc type proc (rw,noexec,nosuid,nodev)
> > sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
> > varrun on /var/run type tmpfs (rw,nosuid,mode=0755)
> > varlock on /var/lock type tmpfs (rw,noexec,nosuid,nodev,mode=1777)
> > udev on /dev type tmpfs (rw,mode=0755)
> > tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev)
> > devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=620)
> > fusectl on /sys/fs/fuse/connections type fusectl (rw)
> > lrm on /lib/modules/2.6.27-14-generic/volatile type tmpfs (rw,mode=755)
> > securityfs on /sys/kernel/security type securityfs (rw)
> > binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc
> > (rw,noexec,nosuid,nodev)
> > mtpfs on /media/mtp type fuse.mtpfs (rw,nosuid,nodev,allow_other)
> >
> > timtw at dellberry:~$
> > -------------------------------------------------
> >
> > Here's the key point: I was able to perform privileged actions while my
> > sudo "token" was expired WITHOUT entering a password. Now it's true that
> > a person without sudo privileges couldn't do this but it still seems like
> > a hole to me.
> > The odd thing is that without the >/dev/null (or any redirect), the
> > commands fail as expected. This does NOT happen on my machine with kernel
> > version 2.6.27-7-generic.
> >
> > Can anyone reproduce this?
> >
> > Here's the relevant version info:
> > -------------------------------------------------
> > timtw at dellberry:~$ sudo -V
> > Sudo version 1.6.9p17
> >
> > timtw at dellberry:~$ bash --version
> > GNU bash, version 3.2.39(1)-release (i486-pc-linux-gnu)
> > Copyright (C) 2007 Free Software Foundation, Inc.
> >
> > timtw at dellberry:~$ mount --version
> > mount from util-linux-ng 2.14 (with libvolume_id and selinux support)
> >
> > timtw at dellberry:~$ uname -a
> > Linux dellberry 2.6.27-14-generic #1 SMP Tue Jun 30 19:57:39 UTC 2009
> > i686 GNU/Linux
> >
> > timtw at dellberry:~$ cat /etc/*rel*
> > DISTRIB_ID=Ubuntu
> > DISTRIB_RELEASE=8.10
> > DISTRIB_CODENAME=intrepid
> > DISTRIB_DESCRIPTION="Ubuntu 8.10"
> >
> > timtw at dellberry:~$
> > -------------------------------------------------
> >
> >
> > --
> > A banker is a fellow who lends you his umbrella when the sun is shining,
> > but wants it back the minute it begins to rain.
> >  -- Mark Twain
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale

-- 
Victory attained by violence is tantamount to a defeat, for it is momentary.
 -- Mahatma Gandhi

More information about the Ale mailing list