Ubuntu
sudo package

corrupt program can add line to "sudo visudo"

Bug #752649 reported by pseudolegolas
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sudo (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: sudo

I installed a program for huawei E177 and it added the following lines to "sudo visudo"

%admin ALL=(ALL) ALL
ALL ALL=(ALL) NOPASSWD:ALL

After installing that program my system was authenticating every sudo command automatically.

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: sudo 1.7.2p7-1ubuntu2.1
ProcVersionSignature: Ubuntu 2.6.35-28.49-generic 2.6.35.11
Uname: Linux 2.6.35-28-generic x86_64
Architecture: amd64
Date: Wed Apr 6 21:20:23 2011
InstallationMedia: Kubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100427)
ProcEnviron:
 LANGUAGE=
 LANG=en_IN
 SHELL=/bin/bash
SourcePackage: sudo

Revision history for this message
pseudolegolas (pseudolegolas) wrote :
visibility: private → public
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

What program did you install that did that?

Marc Deslauriers (mdeslaur)
Changed in sudo (Ubuntu):
status: New → Incomplete
Revision history for this message
pseudolegolas (pseudolegolas) wrote :

It was a program which comes with Huawei E177 USB Dongle.(Sort of Driver cum connection wizard)

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Relevant bits:

    # Shashank: Defect fix AJ2D13470: Begin
    echo -e "ALL ALL=(ALL) NOPASSWD:ALL" >> /tmp/${TEMPFILE}

and

   # Shashank [s72814] added to generate .bin file and to give access permissions in user mode: End
   # Shashank: Defect fix AJ2D13470: End
    cp -f /tmp/${TEMPFILE} /etc/sudoers

wow...what a bad driver installation script.

Although, this has nothing to do with the sudo package. If you run a script as root, you are vulnerable to all kinds of nastiness.
You should be reporting this issue to the authors of the script. Since there is nothing we can do to prevent this kind of misuse in the sudo package itself, I am closing this bug.

Thanks!

Changed in sudo (Ubuntu):
status: Incomplete → Invalid
Revision history for this message
pseudolegolas (pseudolegolas) wrote :

"Huawei is a Chinese company"
Can't we stop malicious scripts from changing secure settings even if the script is run as a root user.
As the usage of ubuntu increases, such malicious attacks will increase. What can be the solution to this???

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The root user has the required privileges to pretty much do everything. The only way to prevent this type of malicious attack is to only install and run software from trusted repositories. I can't think of anything else that can be done.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.