Sudoedit will allow the user to escape to a root shell

Latest response

Hi all,
i'm new to this forum. I'm running RedHat 6.6 (Santiago) , kernel 2.6.32-504.8.1.el6.x86_64, selinux disabled, i have always used sudo to delegate privileged command to simple user. Now and i'm running sudo (sudo-1.8.6p3-15.el6.x86_64) and this is my sudoers file:

Host_Alias SVILUPPO = abbey,wildfire
Defaults requiretty
Defaults !visiblepw
Defaults always_set_home
Defaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
root ALL=(ALL) ALL
%wheel ALL=(ALL) ALL
%linuxusers SVILUPPO=(root) PASSWD: /bin/su - rpmbuild, /usr/bin/sudoedit -e /etc/yum.repos.d/Kion.repo

That happens when a unprivileged user runs into the box and executes sudoedit:

%%%
[loris@wildfire ~]$ id
uid=10501(loris) gid=10501(linuxusers) groups=10501(linuxusers),10510(MGT-Sviluppo),10516(svn_didanet)
[loris@wildfire ~]$ sudo -l
[sudo] password for loris:
Matching Defaults entries for loris on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User loris may run the following commands on this host:

(root) PASSWD: /bin/su - rpmbuild, (root) /usr/bin/sudoedit -e /etc/yum.repos.d/Kion.repo

[loris@wildfire ~]$ sudo /usr/bin/sudoedit -e /etc/yum.repos.d/Kion.repo

(Vi environment appear)
~
[...]
~
~
"/var/tmp/KionXXBL2CxL.repo" 44L, 1621C

(user press "esc" than ":sh" ... and it drop a root shell!)

[root@wildfire loris]#
%%%

What's wrong? I'm sure that one year ago sudoedit was working well and does not drops user to a root shell.
( cfr: https://access.redhat.com/solutions/57331 , ).

Googling this issue takes me into same same solution, to use sudoedit.
Have i missed something? Can you help me to solve this very strange issue?
This is beyond my experienc and RTFM doesn't work.
thank you in advance. Loris

Responses

i'm unable to format text corecctly. sorry :-\

Hi Kion,

did a quick format, you had --- where you wanted ~~~ but they can be difficult to differentiate in some fonts.

I'm looking in to this now and will get back to you.

Mark

Hi Kion,

I think you have missed a step, the solution you reference shows:

** Note ** that if you specify the full path of sudoedit i.e. /usr/bin/sudoedit - you will need to run sudo sudoedit /etc/httpd/conf.d/ssl.conf, which means you can escape to the shell as root again.

The example given shows that you must remove the absolute path:

user1  ALL = sudoedit /etc/httpd/conf.d/ssl.conf

Can you reconfigure and test that please?
Many thanks,
Mark

YEAH!! :-\ WTF ... you do the trick. thank you very very very very very very much.
configuring files with your reccommendation do the job.

:)

Hi Kion,

Glad to hear it! I've updated the Solution to be a little clearer about the anomaly.

Have great day,
Mark

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.