Package: sudo
Version: 1.7.4p4-2
Severity: important
Tags: security
Hi,
normally sudo doesn't allow to change the GID only:
$ sudo -g staff id
Sorry, user alexander is not allowed to execute '/usr/bin/id' as alexander:staff on alexander.
$
The solution for this is to change the %sudo entry in /etc/sudoers like
this:
%sudo ALL=(ALL:ALL) ALL
This line has been the default in sid for over a month now (see
#602699[1]). However the above line seems to have some serious, unwanted
side-effects:
If you normally use sudo, you're asked to re-authenticate yourself,
typically via password:
$ sudo -u root id
[sudo] password for alexander:
uid=0(root) gid=0(root) groups=0(root)
But if you only want to change the GID, sudo DOES NOT ask for a
password, even not if you explicitly reset the time stamp:
$ sudo -g staff id
uid=1000(alexander) gid=50(staff) groups=1000(alexander),27(sudo),112(fuse)
$ sudo -k
$ sudo -g staff id
uid=1000(alexander) gid=50(staff) groups=1000(alexander),27(sudo),112(fuse)
IMHO this is a security issue[2], since it allows privilege escalation
without asking for a password. Either this bug should be fixed[3] or
sudo should stop asking for a password completely. The current behavior
is inconsistent and violates the principle of least surprise.
Best regards
Alexander Kurtz
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=602699
[2] I chose "Severity: important" because the problem only occurs when
you are a member of the sudo group. Please feel free to raise the
severity if you think it is necessary.
[3] Please note that simply reverting the fix for #602699 is NOT a
solution!
Attachment:
signature.asc
Description: This is a digitally signed message part