visudo: please use /tmp or other location for temporary file

Bug #16700 reported by Debian Bug Importer on 2005-05-04
6
Affects Status Importance Assigned to Milestone
sudo (Debian)
New
Unknown
sudo (Ubuntu)
Low
Unassigned

Bug Description

Automatically imported from Debian bug report #283161 http://bugs.debian.org/283161

CVE References

If you do fix this bug, and patch sudo to create temp file in /tmp (or
whereever), please be wary of issue mentioned at:
http://www.securityfocus.com/bid/13171,

You'd need to patch to change the naming of the temp file as well as the
directory. I'm sure you'd be aware of that though.

--
Geoff Crompton
Debian System Administrator
Strategic Data
+61 3 9340 9000

As I read http://www.securityfocus.com/bid/13171/discussion/ , which has
been assigned CVE id CAN-2005-1119, this is a security hole because
visodo is not limited to editing /etc/sudoers. With the -f switch, it
can be made to edit some other file; if that other file is in a
directory to which an attacker has write access, they can overwrite
arbitrary files via a symlink attack.

Still fairly theoretical, but I wanted to note that this is
CAN-2005-1119 ..

--
see shy jo

Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #283161 http://bugs.debian.org/283161

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 26 Nov 2004 23:38:46 +0100
From: martin f krafft <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: visudo: please use /tmp or other location for temporary file

--9amGYk9869ThD9tj
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: sudo
Version: 1.6.7p5-2
Severity: minor

visudo creates and uses /etc/visudo.tmp. While this may or may not
be subject to race conditions, a temporary file certainly does not
belong into /etc. Please use /tmp or $TMPDIR instead.

Thanks,

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (600, 'testing'), (98, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-cirrus
Locale: LANG=3Den_GB, LC_CTYPE=3Den_GB.UTF-8 (charmap=3DUTF-8)

Versions of packages sudo depends on:
ii libc6 2.3.2.ds1-18 GNU C Library: Shared librarie=
s an
ii libpam-modules 0.76-22 Pluggable Authentication Modul=
es f
ii libpam0g 0.76-22 Pluggable Authentication Modul=
es l

-- no debconf information

--=20
 .''`. martin f. krafft <email address hidden>
: :' : proud Debian developer, admin, user, and author
`. `'`
  `- Debian - when you have better things to do than fixing a system
=20
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

--9amGYk9869ThD9tj
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBp7B2IgvIgzMMSnURAnqaAKDCsDhynKAVGKbtgSiIjlEPOvvadQCfdhNM
HjORr3cFRThEwgJfUCSKn5c=
=+q9P
-----END PGP SIGNATURE-----

--9amGYk9869ThD9tj--

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 21 Apr 2005 12:13:41 +1000
From: Geoff Crompton <email address hidden>
To: <email address hidden>
Subject: bewary of bid 13171 when doing this

If you do fix this bug, and patch sudo to create temp file in /tmp (or
whereever), please be wary of issue mentioned at:
http://www.securityfocus.com/bid/13171,

You'd need to patch to change the naming of the temp file as well as the
directory. I'm sure you'd be aware of that though.

--
Geoff Crompton
Debian System Administrator
Strategic Data
+61 3 9340 9000

Martin Pitt (pitti) wrote :

Not a big deal, thus downgrading. /etc/ is only writeable by root, and visudo
properly checks for already existing files:

$ sudo visudo
Password:
visudo: sudoers file busy, try again later

I can't see a security issue here, this is just a (rather cosmetical) bug;
temporary files do not belong into /etc.

Matt Zimmerman (mdz) wrote :

See Joey Hess' latest comment in debbugs. Still not a major issue, but deserves
a closer look.

On Fri, Nov 26, 2004 at 11:38:46PM +0100, martin f krafft wrote:
> Package: sudo
> Version: 1.6.7p5-2
> Severity: minor
>
> visudo creates and uses /etc/visudo.tmp. While this may or may not
> be subject to race conditions, a temporary file certainly does not
> belong into /etc. Please use /tmp or $TMPDIR instead.

We have to be a bit careful here, I think; visudo currently issues a
warning if the temporary file is on a different filesystem.

--
Colin Watson [<email address hidden>]

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 3 May 2005 22:52:41 -0400
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: CAN-2005-1119

--0F1p//8PRICkK4MW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

As I read http://www.securityfocus.com/bid/13171/discussion/ , which has
been assigned CVE id CAN-2005-1119, this is a security hole because
visodo is not limited to editing /etc/sudoers. With the -f switch, it
can be made to edit some other file; if that other file is in a
directory to which an attacker has write access, they can overwrite
arbitrary files via a symlink attack.

Still fairly theoretical, but I wanted to note that this is
CAN-2005-1119 ..

--=20
see shy jo

--0F1p//8PRICkK4MW
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCeDj5d8HHehbQuO8RAiBgAKCiubC4WTlJeuc0fMSZXJ1suW5EdgCfXIKQ
YzIjM6k+E5mCept5pZmEdUo=
=p7vS
-----END PGP SIGNATURE-----

--0F1p//8PRICkK4MW--

Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Wed, 4 May 2005 10:52:44 +0100
From: Colin Watson <email address hidden>
To: martin f krafft <email address hidden>
Cc: <email address hidden>
Subject: Re: visudo: please use /tmp or other location for temporary file

On Fri, Nov 26, 2004 at 11:38:46PM +0100, martin f krafft wrote:
> Package: sudo
> Version: 1.6.7p5-2
> Severity: minor
>
> visudo creates and uses /etc/visudo.tmp. While this may or may not
> be subject to race conditions, a temporary file certainly does not
> belong into /etc. Please use /tmp or $TMPDIR instead.

We have to be a bit careful here, I think; visudo currently issues a
warning if the temporary file is on a different filesystem.

--
Colin Watson [<email address hidden>]

visudo must atomically swap the old configuration for the new one. There must never be a time where sudo can see a partially written sudoers file. The temporary should always be placed in the same directory (currently the best way to be sure its being put on the same filesystem and so that differing permissions on different directories don't cause suprising behaviour).

http://bugs.debian.org/283161
visudo: please use /tmp or other location for temporary file

sudo creates the temporary file /etc/sudoers.tmp so that it can do an
atomic rename if the file has been modified. This is a nice thing to
guarantee, otherwise the file may not exist, or might exist in an
inconsistent state.

In particular, this avoids the scenario where sudo writes out some file
to the effect of:

pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root

But perhaps the stuff after the ',' hasn't been written yet. So pete
can change roots password, even though this is a legitimate way to
prevent it (taken straight from the sudoers manpage).

The only change I can see being made is to use the dirname of the file
being edited, rather than always using the dirname of the sudoers file.

Just to clarify my previous comment, I don't think this is a bug and should be marked invalid as altering the current behaviour to match typical temporary file use would be a grave erro,r possibly opening systems up toexploitation.

Martin Pitt (pitti) on 2008-11-20
Changed in sudo:
assignee: pitti → nobody
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.