sudo.info.txt

`Date: Tue, 8 Jun 1999 21:23:55 +0200  
From: Bencsath Boldizsar <[email protected]>  
To: [email protected]  
Subject: unneeded information in sudo  
  
Sudo (debian , v1.5.6p2-2) tells anyone if a file exists or not. It's not  
a very big problem, but when i set a directory _not_ accessible to anyone  
but root, I want to make sure, nobody knows what files are in it.  
Both executable and not executables- if there is no file: No such file or  
directory, if it exists: permission denied if not executable, You are not  
in sudoers if executable.  
  
  
> ls -la a  
total 4  
drwx------ 2 root root 1024 Jun 8 21:25 .  
drwx------ 7 root root 1024 Jun 8 21:22 ..  
-rwxr-xr-x 1 root root 1363 Jun 8 21:23 doit  
> su - alias  
No directory, logging in with HOME=/  
$ /root/a/doit  
su: /root/a/doit: Permission denied  
$ /root/a/doit2  
su: /root/a/doit2: Permission denied  
$ sudo /root/a/doit  
alias is not in the sudoers file. This incident will be reported.  
  
$ sudo /root/a/doit2  
sudo: /root/a/doit2: No such file or directory  
$ dpkg -l sudo  
....  
||/ Name Version Description  
+++-===============-==============-============================================  
ii sudo 1.5.6p2-2 Provides limited super user privileges  
  
> chmod a-x /root/a/doit  
> su - alias  
No directory, logging in with HOME=/  
$ sudo /root/a/doit  
sudo: /root/a/doit: Permission denied  
$ sudo /root/a/doit2  
sudo: /root/a/doit2: No such file or directory  
  
  
boldi  
  
---------------------------------------------------------------------------  
  
Date: Thu, 10 Jun 1999 09:36:50 +0300  
From: Brock Rozen <[email protected]>  
To: [email protected]  
Subject: Re: unneeded information in sudo  
  
I just submitted this to the Debian BTS at [email protected]  
  
It should appear soon (a day or two) at  
http://www.debian.org/Bugs/db/pa/lsudo.html  
  
I don't have a direct url because the bug hasn't been assigned a tracking  
number yet. The above url should do, and I submitted the bug with a  
severity level of "Important", so it should be at the top of that page.  
  
Thanks,  
  
--  
Brock Rozen [email protected]  
Director of Technical Services (410) 602-1350  
Project Genesis http://www.torah.org/  
  
---------------------------------------------------------------------------  
  
Date: Wed, 9 Jun 1999 14:12:53 -0500  
From: Randy Mclean <[email protected]>  
To: [email protected]  
Subject: Re: unneeded information in sudo  
  
Well I just verified it on FreeBSD. I guess sudo checks if a file exists  
before it checks the sudoers list. The fact that sudo is suid, it dose have  
access to check the entire system for files. It seems to me that this is a  
SLIGHT bug. Even if someone wanted to find the contents of the directory  
there would basically have to try file name at random or run a program to  
try different letter combinations. In either case the system will send  
messages to root with the list of users who attempt to use sudo and who  
aren^Òt privileged to use sudo. Also couldn^Òt you just change the  
permissions on the files so normal user couldn't access the files anyhow?  
  
At 09:23 PM 6/8/99 +0200, Bencsath Boldizsar wrote:  
>Sudo (debian , v1.5.6p2-2) tells anyone if a file exists or not. It's not  
>a very big problem, but when i set a directory _not_ accessible to anyone  
>but root, I want to make sure, nobody knows what files are in it.  
>Both executable and not executables- if there is no file: No such file or  
>directory, if it exists: permission denied if not executable, You are not  
>in sudoers if executable.  
>  
>  
>> ls -la a  
>total 4  
>drwx------ 2 root root 1024 Jun 8 21:25 .  
>drwx------ 7 root root 1024 Jun 8 21:22 ..  
>-rwxr-xr-x 1 root root 1363 Jun 8 21:23 doit  
>> su - alias  
>No directory, logging in with HOME=/  
>$ /root/a/doit  
>su: /root/a/doit: Permission denied  
>$ /root/a/doit2  
>su: /root/a/doit2: Permission denied  
>$ sudo /root/a/doit  
>alias is not in the sudoers file. This incident will be reported.  
>  
>$ sudo /root/a/doit2  
>sudo: /root/a/doit2: No such file or directory  
>$ dpkg -l sudo  
>...  
>||/ Name Version Description  
>+++-===============-==============-========================================  
====  
>ii sudo 1.5.6p2-2 Provides limited super user privileges  
>  
>> chmod a-x /root/a/doit  
>> su - alias  
>No directory, logging in with HOME=/  
>$ sudo /root/a/doit  
>sudo: /root/a/doit: Permission denied  
>$ sudo /root/a/doit2  
>sudo: /root/a/doit2: No such file or directory  
>  
>  
>boldi  
  
--  
Randy Mclean  
Security/Network Administrator  
[email protected]  
  
---------------------------------------------------------------------------  
  
Date: Wed, 9 Jun 1999 12:01:15 -0700  
From: Samuel Mikes <[email protected]>  
To: [email protected]  
Subject: unneeded information in sudo  
  
>> "Bencsath" == Bencsath Boldizsar <[email protected]> writes:  
Bencsath> Sudo (debian , v1.5.6p2-2) tells anyone if a file exists or  
Bencsath> not. It's not a very big problem, but when i set a  
Bencsath> directory _not_ accessible to anyone but root, I want to  
Bencsath> make sure, nobody knows what files are in it. Both  
Bencsath> executable and not executables- if there is no file: No  
Bencsath> such file or directory, if it exists: permission denied if  
Bencsath> not executable, You are not in sudoers if executable.  
  
This problem has been known for over a year -- probably longer.  
Everyone agrees that it's wrong behavior in sudo; nobody has felt  
motivated enough to write a patch for it.  
  
If you contact [email protected] or sudo-workers (also at  
courtesan?), they'll tell you all about it.  
  
Cheers,  
--  
Sam Mikes  
[email protected]  
  
---------------------------------------------------------------------------  
  
Date: Thu, 10 Jun 1999 14:02:04 -0500  
From: Emad El-Haraty <[email protected]>  
To: [email protected]  
Subject: Re: unneeded information in sudo  
  
On Wed, 9 Jun 1999, Samuel Mikes wrote:  
  
> >> "Bencsath" == Bencsath Boldizsar <[email protected]> writes:  
> Bencsath> Sudo (debian , v1.5.6p2-2) tells anyone if a file exists or  
> Bencsath> not. It's not a very big problem, but when i set a  
> Bencsath> directory _not_ accessible to anyone but root, I want to  
> Bencsath> make sure, nobody knows what files are in it. Both  
> Bencsath> executable and not executables- if there is no file: No  
> Bencsath> such file or directory, if it exists: permission denied if  
> Bencsath> not executable, You are not in sudoers if executable.  
>  
When configuring (at compile time) would setting --disable-path-info  
stop this problem?  
  
here is it's description:  
--disable-path-info  
Normally, sudo will tell the user when a command could not be found  
in their $PATH. Some sites may wish to disable this as it could  
be used to gather information on the location of executables that  
the normal user does not have access to.  
  
  
  
Emad El-Haraty  
"The best thing about computers is that they fly around the room when you  
get real mad at them."  
-- Joe Ely Carrales, III  
  
`