[SGVLUG] sudo newgrp somegroup = local root escalation

Matthew Campbell dvdmatt at gmail.com
Sat Aug 6 12:32:50 PDT 2016 

Good afternoon Sean,

That is an interesting point.  I was not aware of this and at first
didn't catch the problem.  Usually on our systems if you have sudo
access you are an admin with root privileges and it is assumed you
will be professional and use sudo (not sudu bash) to perform any
raised privilege operations.

I also work with a large outsourced IT contract where we have had a
lot of problems with shared account passwords and other
non-professional conduct.  Driving this is a business environment
where face saving is first priority and if you ever make a mistake
that can be traced back to you the result is summary disemployment,
don't stop at go.  This post has got me thinking.  I may have to raise
this as a high priority issue with RHEL to see what they say.

Thanks for the heads up!

Matt

---------
Matthew Campbell
Storage and Cloud Strategy
Office of the CTO

On Wed, Aug 3, 2016 at 6:55 PM, Sean O'Donnell <sean at seanodonnell.com> wrote:
> TIL: If a user has 'sudo' access, AND is allowed to execute 'newgrp',
> the result is that the user gets switched to the root user, if the
> command executes successfully.
>
> [x0d at wopr.mil cli]$ sudo newgrp root
> [root at wopr.mil cli]#
>
> While I used the 'root' group for this example (because it exists), the
> same could be applied to any existing group on the system, and still
> result in same local root escalation.
>
> I see that this has been a known issue in terms of disclosure, since at
> least 2003 (quickly glancing on google results) yet it's not a commonly
> known issue, from most engineers I work with or have talked to.
>
> I know it's really the responsibility of the sysadmin who makes the sudo
> rules, to address this, it appears that this is news to most of the
> sysadmins I'm working with here.
>
> Anyhow, just curious if others were aware of this, or not.
>
> The reason I mention this, is because it appears to be an issue that
> Apple fixed in one of their OS updates, but most linux distros still
> allow this (debian/centos/fedora/etc.). It just seems like a bad idea to
> ship common distros with this capability, wouldn't you agree?
>
> -Sean
>
>
>
>

More information about the SGVLUG mailing list