Ubuntu
sudo package

useradd grants root privileges to admin user

Bug #2027581 reported by Bugra Aydogar
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sudo (Ubuntu)
New
Undecided
Unassigned

Bug Description

Hi,

As part of the Ubuntu Core 20, if a developer creates a user named either admin or Admin, it will have root privileges by default. I think that this is a security issue but it requires input from the security engineers/specialists.

Basically, if you look at the sudoers file under `/etc/sudoers`, you will realize the following line;

```
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
```

And if someone creates a user by using admin as name, the system provide root privilege.

```
sudo useradd -s /bin/bash -u 8003 -d /home/Admin --extrausers Admin
iotuc@ubuntu:~$ su Admin
Password:
Admin@ubuntu:/home/iotuc$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied
Admin@ubuntu:/home/iotuc$ sudo cat /etc/sudoers
[sudo] password for Admin:
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
Admin@ubuntu:/home/iotuc$
```

Similarly, if I create a username called aydogar, it does not have root privilege and this is expected.

```
sudo useradd -s /bin/bash -u 8004 -d /home/aydogar --extrausers aydogar
iotuc@ubuntu:~$ su aydogar
Password:
aydogar@ubuntu:/home/iotuc$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied
aydogar@ubuntu:/home/iotuc$ sudo cat /etc/sudoers
[sudo] password for aydogar:
aydogar is not in the sudoers file. This incident will be reported.
aydogar@ubuntu:/home/iotuc$
```

I think, this is a bug but would love here other ideas and inputs.

See original description
Bugra Aydogar (bugraaydogar)
description: updated
Amin Bandali (bandali)
summary: - useradd will grand root privileges for admin user
+ useradd grants root privileges to admin user
Revision history for this message
Lars Düsing (lars.duesing) wrote :

This is no bug. useradd adds automatically the user to a same named group. So admin user would get added to admin group. This is intended behavior. admin group has sudo rights. This is also intended.

Revision history for this message
Oliver Grawert (ogra) wrote :

On UbuntuCore the default user added by console-conf is automatically granted passwordless sudo.

the /etc/group file is on a readonly filesystem and contains the sudo group, this usually prevents you from accidentially adding extra sudo users (UbuntuCore exclusively uses /var/lib/extrausers for addtional users and snapd (being the management authority) normally creates snippets in /etc/sudoers.d on a per user basis)

in earlier UbuntuCore releases the admin group still existed in the readonly /etc/group so adding such a user would have been prevented by the readonly state of the file.

now you can unconditionally create such a user and automatically get sudo privs without having to go through a system-user assertion managed by snapd (which is the only process that can create snippets in /etc/sudoers.d on these systems)

if not considered a security hole (due to the fact that you can circumvent the documented locked down user creation process via system-user-assertions for this type of systems) this is at least a heavy inconsistency ... we should either add an admin group to the core snaps readonly /etc/group or wipe the admin line from sudoers so we match the documented behavior.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.