Arnt Gulbrandsen
About meAbout this blog
2012-01-23

A minor security bug in Ubuntu

This has two parts.

First, sudo, which ubuntu encourages using rather than su. Sudo can be set up to allow users to do just some things as root rather than everything, by editing the file /etc/sudoers.

Second, various Ubuntu programs that run as root. Some expect that the user's $PATH starts with /sbin and /usr/sbin, and run programs without specifying the complete file name.

If a user has limited sudoers privileges, then various Ubuntu-supplied programs can often be tricked into granting the user complete root access.

For example, sudo apt-get install firefox will run either ldconfig or start-stop-daemon (I forget). Not every package has this problem, but many enough to make it a FAQ.

I feel sure that whoever reports this will be told by the sudoers maintainers that the problem is with e.g. apt-get, and by the apt-get people that the problem is with sudoers. Both are reasonable responses, but I'd rather write code than argue. So all I'll do is publish this.