COMMAND

    sudo

SYSTEMS AFFECTED

    Systems running sudo 1.5.2, 1.5.3

PROBLEM

    Osiris posted  following.   There is  a bug  in sudo  versions (at
    least) 1.5.2 and  1.5.3 on NCR's  MP-RAS that makes  it trivial to
    bypass sudo's restrictions.  It  is important to note that  MP-RAS
    is one of  the platforms listed  in the RUNSON  file included with
    the distribution, so there are probably many people running  this.
    After  a  little,  it  showed  how  sudo  on every system has this
    behavior (tested on DEC UNIX 4.0B and FreeBSD 2.2.5 using cu-sudo
    1.5.3).

    Basically, if you define a command  that a user is not allowed  to
    run,  they  will  still  be  allowed  to  run it if they cd to the
    directory containing the command and  preface it with ./.   Here's
    an example:

        /da8 atlas> sudo date
        Sorry, user osiris is not allowed to execute "/usr/bin/date" as root on atlas.

        /da8 atlas> sudo /bin/date
        Sorry, user osiris is not allowed to execute "/bin/date" as root on atlas.

        /da8 atlas> cd /usr/bin
        /usr/bin atlas> sudo ./date
        Mon Jan 12 12:15:34 EST 1998

SOLUTION

    This is fixed in version 1.5.4, available from:

        ftp://ftp.cs.colorado.edu/pub/sysadmin/sudo/cu-sudo.v1.5.4.tar.Z
        ftp://ftp.courtesan.com/pub/sudo/cu-sudo.v1.5.4.tar.Z (very slow link)

    The  real  problem  is  that  there  is  an assumption in the path
    matching  code  that  things  will  start  with  '/'  but they can
    also, of  course, start  with '.'.   Here's the  "official"  patch
    if you will...

    --- parse.c     1996/11/14 02:37:16     1.76
    +++ parse.c     1998/01/13 03:59:35
    @@ -218,7 +218,7 @@
         static char *c;

         /* don't bother with pseudo commands like "validate" */
    -    if (*cmnd != '/')
    +    if (strchr(cmnd, '/') ==NULL)
            return(FALSE);

         /* only need to stat cmnd once since it never changes */