Potential bypass of Runas user restrictions in sudo

Is this the official sudo repository?<p><a href="https:&#x2F;&#x2F;www.sudo.ws&#x2F;repos&#x2F;sudo&#x2F;file&#x2F;f75f786eddd5" rel="nofollow">https:&#x2F;&#x2F;www.sudo.ws&#x2F;repos&#x2F;sudo&#x2F;file&#x2F;f75f786eddd5</a><p>It has more than 10 thousand commits, ~600 files, and close to 11MB of C code. Also, the code seems to have no unit tests, the main file is 1.4K lines long, has quintuple-nested conditionals and liberally uses goto statements.<p>Am I missing something here?

Are the examples in the advisory statement slightly incorrect? The first example seems to have the user name and host reversed:<p><pre><code> myhost alice = (ALL) &#x2F;usr&#x2F;bin&#x2F;id </code></pre> All the examples I&#x27;ve seen of sudoers files do it this way:<p><pre><code> alice myhost = (ALL) &#x2F;usr&#x2F;bin&#x2F;id </code></pre> This is important because the host is rarely used; the host field is usually replaced with ALL, meaning the host name is not important for the rule:<p><pre><code> alice ALL = (ALL) &#x2F;usr&#x2F;bin&#x2F;id </code></pre> I hope this isn&#x27;t some new sudoers syntax.<p>As I consider whether this bug impacts my company, I see two types of rules in our sudoers files: (1) rules that let already-privileged users do privileged things and (2) rules that let processes with minimal privileges make an exception to normal security rules. This bug doesn&#x27;t impact rules for highly privileged users because they already have many ways to do whatever they want. This bug doesn&#x27;t impact the second type of rules either because those rules specify exactly which user to change to; I tested the &#x27;-u#-1&#x27; trick with one of those rules on an unpatched sudo and sudo didn&#x27;t allow it.<p>The behavior I observed seems to match the advisory, which says the exploitable rules are those that don&#x27;t specify a specific user to run as.<p>Now I wonder: what kind of well-written rule would be exploitable?

I cannot imagine why would one write (ALL, !root) policy -- this seems like a security hole waiting to happen. There are many system users, and I would not be surprised if some of them can be escalated to root.

The fix was done in <a href="https:&#x2F;&#x2F;www.sudo.ws&#x2F;repos&#x2F;sudo&#x2F;rev&#x2F;83db8dba09e7" rel="nofollow">https:&#x2F;&#x2F;www.sudo.ws&#x2F;repos&#x2F;sudo&#x2F;rev&#x2F;83db8dba09e7</a><p>The fix appears to be to reject -1 as invalid.<p>The article should have included in the fix section a link to the commit and a summary of what the fix was.

Status in Debian: <a href="https:&#x2F;&#x2F;security-tracker.debian.org&#x2F;tracker&#x2F;CVE-2019-14287" rel="nofollow">https:&#x2F;&#x2F;security-tracker.debian.org&#x2F;tracker&#x2F;CVE-2019-14287</a><p>Ubuntu: <a href="https:&#x2F;&#x2F;people.canonical.com&#x2F;~ubuntu-security&#x2F;cve&#x2F;2019&#x2F;CVE-2019-14287.html" rel="nofollow">https:&#x2F;&#x2F;people.canonical.com&#x2F;~ubuntu-security&#x2F;cve&#x2F;2019&#x2F;CVE-2...</a><p>RHEL: <a href="https:&#x2F;&#x2F;access.redhat.com&#x2F;security&#x2F;cve&#x2F;cve-2019-14287" rel="nofollow">https:&#x2F;&#x2F;access.redhat.com&#x2F;security&#x2F;cve&#x2F;cve-2019-14287</a>

This seems pretty serious, but I wonder if there is a way to measure how many systems are affected by this. Does anyone have telemetry on how many Runas configs are set up this way? How would someone collect this data?

Interesting bug; I wonder what else might be affected by setuid(-1). That said, I’d hope this bug doesn’t really affect too many systems - letting someone run commands as any non-root user is pretty hazardous because some users have really high privileges (e.g. any user in the “docker” group is functionally equivalent to root if Docker is installed).<p>I do love that this command has its own website - and a delightfully on-point XKCD-inspired logo :)

At least the alternative (PolicyKit) reined in on the complexity and is just executing Javascript...

Anyone have any idea if someone can just install the old version in their home directory and enjoy the bypass?