Sudoedit will allow the user to escape to a root shell-solvd

[lorisalbanese]

Hi all,
i'm new to this forum. I use Centos (5.11 and 6.6) without any problem in serveral servers. I'm new to Centos 7.
I have recently installed a new box (7.0.1406 (Core)) and i'm running sudo to delegate privileged command to normal users.

This is my sudoers file:
---
Host_Alias SVILUPPO = abbey,dev-rpm-7
Defaults requiretty
Defaults !visiblepw
Defaults always_set_home
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
%linuxusers SVILUPPO=(root) PASSWD: /bin/su - rpmbuild, /usr/bin/sudoedit -e /etc/yum.repos.d/CentOS-Base.repo
---

That happens when a unprivileged user runs into the box and executes sudoedit:

%%%
[loris@dev-rpm-7 ~]$ id
uid=10501(loris) gid=10501(linuxusers) groups=10501(linuxusers),10510(MGT-Sviluppo),10516(svn_didanet)
[loris@dev-rpm-7 ~]$ sudo -l
[sudo] password for loris:
Matching Defaults entries for loris on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User loris may run the following commands on this host:
(root) PASSWD: /bin/su - rpmbuild, (root) /usr/bin/sudoedit -e /etc/yum.repos.d/CentOS-Base.repo

[loris@dev-rpm-7 ~]$ sudo /usr/bin/sudoedit -e /etc/yum.repos.d/CentOS-Base.repo

(Vi environment appear)
~
[...]
~
~
"/var/tmp/CentOS-BaseXXBL2CxL.repo" 44L, 1621C

(user press "esc" than ":sh" ... and it drop a root shell!)

[root@dev-rpm-7 loris]#
%%%

What's wrong? Same setting in a Centos 5 or Centos 6 environment box work perfectly and sudoedit dows not drop a root shell.
( cfr: https://access.redhat.com/solutions/57331 , ).

Googling this issue takes me into same same solution, to use sudoedit.
Have i missed something? Can you help me to solve this very strange issue?
This is beyond my experienc and RTFM doesn't work.
thank you in advance. Loris

[TrevorH]

You're running `sudo sudoedit` which runs sudoedit as root to start with! Don't do that. Just run sudoedit -e /etc/yum.repos.d/CentOS-Base.repo.

[lorisalbanese]

You're running `sudo sudoedit` which runs sudoedit as root to start with! Don't do that. Just run sudoedit -e /etc/yum.repos.d/CentOS-Base.repo.

thank you for the quick reply. I'm afraid...Your trick does not work. I cannot delegate editing without sudo. How can i?


[loris@dev-rpm-7 ~]$ sudoedit -e /etc/yum.repos.d/CentOS-Base.repo
[sudo] password for loris:
Sorry, user lalbanese is not allowed to execute 'sudoedit /etc/yum.repos.d/CentOS-Base.repo' as root on dev-rpm-7.kion.it.

dev-rpm-7 ~]$ /usr/bin/sudoedit -e /etc/yum.repos.d/CentOS-Base.repo
Sorry, user loris is not allowed to execute 'sudoedit /etc/yum.repos.d/CentOS-Base.repo' as root on dev-rpm-7.kion.it.

[lorisalbanese]

Reading on sudo creator's web site ...
http://www.sudo.ws/sudoers.man.html#x50 ... 6361706573

Now i'm using this workaround ....

%linuxusers SVILUPPO=(root) NOEXEC:/usr/bin/vi /etc/yum.repos.d/CentOS-Base.repo

but ... reading on link above ....

"Note that restricting shell escapes is not a panacea. Programs running as root are still capable of many potentially hazardous operations (such as changing or overwriting files) that could lead to unintended privilege escalation. In the specific case of an editor, a safer approach is to give the user permission to run sudoedit."

something happened, imho. i will investigate. BTW running "sudo sudoedit" on rh 6 or rh5 ... will not drop a user into root shell

Thank you very much

[lorisalbanese]

Same issue on Centos 6. I have replicated the problem in a box running Centos 6.6 , using sudo-1.8.6p3-15.el6.x86_64.
user with unprivileged access, drops a root shell using sudoedit

i'm sure that i was using sudoedit in the same way and the user does not drop down a root shell.

i'm very confused now.

Can anyone explain to me what's happening? what is missing or what is wrong in my sudoers file?

thank you so mush.

Loris

[avij]

Please clarify your above message. Were you using sudo sudoedit or sudoedit ?

If you can 'sudo', yes, you can do anything a root user can do. If you can use sudo, you can also run sudo -i to become root instantly, without having to execute any other command.

If you run sudo sudoedit, you will become root at the "sudo" stage if the authorization check passes. The command specified after sudo will be executed with root privileges, regardless of what command it is.

(edit: It's also possible to restrict what commands you can execute with sudo. My point was that if you can use plain sudo to become root, it's also possible to get a root shell from a command invoked from sudo, if the command allows spawning a new shell.)

[TrevorH]

Code: Select all

Cmnd_Alias SUPPORT = sudoedit /etc/smokeping/config
# Allows people in group support to run selected commands
%support ALL=(ALL)      SUPPORT

[lorisalbanese]

Code: Select all

Cmnd_Alias SUPPORT = sudoedit /etc/smokeping/config
# Allows people in group support to run selected commands
%support ALL=(ALL)      SUPPORT

Thank you for this part of config. So now the question is ... are you using your own this config or is only theory?
looking at documentation. your config will imply that any member of group support can run °sudoedit /etc/smokeping/config° on all machine, running command as any user available on the box.
Does the user run the command "sudoedit /etc/smokeping/config" or "sudo sudoedit /etc/smokeping/config" ??
In all my test, running command "sudoedit /etc/smokeping/config" will drop user to error.

Lookint at sudo manual, i read :

" What this means is that for the entry:
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
The user dgb may run /bin/ls, /bin/kill, and /usr/bin/lprm—but only as operator. E.g.,
$ sudo -u operator /bin/ls
It is also possible to override a Runas_Spec later on in an entry. "

Now, with your config, can you explain me how an unprivileged user (member of group support) can run sudoedit?
Are you running test over you config?
I can't understand, or, i think so, you are in trouble.

I hope you can help me to understand how user can run "sudoedit" command without using "sudo"
thank you in advance.

Loris

[TrevorH]

That's an actual working example. The member of the group support runs sudoedit /etc/smokeping/config

[lorisalbanese]

That's an actual working example. The member of the group support runs sudoedit /etc/smokeping/config

:-\ how run is made?

really ... i can't understand.

Every enrty in sudoers file must be executed prefixing command "sudo" .

Can you explain me how you can run sudoedit withous prefixing sudo? :-\
please. thank you. Loris