[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
system/1559: visudo creates initial sudoers file with wrong mode
- To: gnats@openbsd.org
- Subject: system/1559: visudo creates initial sudoers file with wrong mode
- From: Dimitry Andric <dim@xs4all.nl>
- Date: Tue, 12 Dec 2000 18:51:08 +0100 (CET)
- Resent-Date: Tue, 12 Dec 2000 11:00:02 -0700 (MST)
- Resent-From: gnats@cvs.openbsd.org (GNATS Management)
- Resent-Message-Id: <200012121800.eBCI02P24652@cvs.openbsd.org>
- Resent-Reply-To: gnats@cvs.openbsd.org, dim@xs4all.nl
- Resent-To: bugs@cvs.openbsd.org
>Number: 1559
>Category: system
>Synopsis: visudo creates initial sudoers file with wrong mode
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bugs
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Dec 12 11:00:02 MST 2000
>Last-Modified:
>Originator: Dimitry Andric
>Organization:
net
>Release: 1.6.3 (from OpenBSD 2.8)
>Environment:
System : OpenBSD 2.8
Architecture: OpenBSD.i386
Machine : i386
>Description:
If there isn't any /etc/sudoers file yet, and /usr/sbin/visudo is run,
it creates the file itself, and starts the editor. However, if you
then immediately quit from the editor, without entering anything,
visudo will say:
visudo: Zero length temporary file (/etc/sudoers.tmp), /etc/sudoers unchanged.
The /etc/sudoers file has been created however, and with a random (so
most of the times unsafe) mode! This is caused by line 169 (approx) of
visudo.c:
/*
* Open sudoers, lock it and stat it.
* sudoers_fd must remain open throughout in order to hold the lock.
*/
sudoers_fd = open(sudoers, O_RDWR | O_CREAT);
if (sudoers_fd == -1) {
The required SUDOERS_MODE isn't explicitly passed to open(2) here, so
it will take on some random value, depending on what's on the stack at
that particular moment.
This situation also occurs if you _do_ enter text into to the
sudoers.tmp file, but with an invalid syntax, so that visudo refuses
to accept it, and then abort (with x). The /etc/sudoers file will then
have the same random mode.
Additionally, if you enter valid text, the sudoers file will be
updated, and correctly set to the SUDOERS_MODE mode. However, there is
still a (small) window in which the file has a possibly unsafe mode,
namely while you are busy editing the file. In this window a malicious
user could try to take control of the file... :(
Lastly, this problem does not occur if the sudoers file already
exists.
I ran into this, because I ran sudo after an aborted session of
visudo, and sudo complained:
sudo: /etc/sudoers is mode 04754, should be 0440
and root then got some paranoia mail in his mailbox. ;-)
>How-To-Repeat:
mv /etc/sudoers /etc/sudoers.backup
visudo (wait till it starts editor, then abort editing)
sudo (complains about invalid /etc/sudoers mode)
ls -l /etc/sudoers (should have some random mode, usually unsafe)
>Fix:
diff -u /usr/src/usr.bin/sudo/visudo.c visudo.c
--- /usr/src/usr.bin/sudo/visudo.c Mon Jun 5 16:01:15 2000
+++ visudo.c Tue Dec 12 18:29:39 2000
@@ -166,7 +166,7 @@
* Open sudoers, lock it and stat it.
* sudoers_fd must remain open throughout in order to hold the
lock.
*/
- sudoers_fd = open(sudoers, O_RDWR | O_CREAT);
+ sudoers_fd = open(sudoers, O_RDWR | O_CREAT, SUDOERS_MODE);
if (sudoers_fd == -1) {
(void) fprintf(stderr, "%s: %s: %s\n", Argv[0], sudoers,
strerror(errno));
>Audit-Trail:
>Unformatted: