Date: Tue, 8 Jun 1999 21:23:55 +0200 From: Bencsath Boldizsar To: BUGTRAQ@netspace.org Subject: unneeded information in sudo Sudo (debian , v1.5.6p2-2) tells anyone if a file exists or not. It's not a very big problem, but when i set a directory _not_ accessible to anyone but root, I want to make sure, nobody knows what files are in it. Both executable and not executables- if there is no file: No such file or directory, if it exists: permission denied if not executable, You are not in sudoers if executable. > ls -la a total 4 drwx------ 2 root root 1024 Jun 8 21:25 . drwx------ 7 root root 1024 Jun 8 21:22 .. -rwxr-xr-x 1 root root 1363 Jun 8 21:23 doit > su - alias No directory, logging in with HOME=/ $ /root/a/doit su: /root/a/doit: Permission denied $ /root/a/doit2 su: /root/a/doit2: Permission denied $ sudo /root/a/doit alias is not in the sudoers file. This incident will be reported. $ sudo /root/a/doit2 sudo: /root/a/doit2: No such file or directory $ dpkg -l sudo .... ||/ Name Version Description +++-===============-==============-============================================ ii sudo 1.5.6p2-2 Provides limited super user privileges > chmod a-x /root/a/doit > su - alias No directory, logging in with HOME=/ $ sudo /root/a/doit sudo: /root/a/doit: Permission denied $ sudo /root/a/doit2 sudo: /root/a/doit2: No such file or directory boldi --------------------------------------------------------------------------- Date: Thu, 10 Jun 1999 09:36:50 +0300 From: Brock Rozen To: BUGTRAQ@netspace.org Subject: Re: unneeded information in sudo I just submitted this to the Debian BTS at submit@bugs.debian.org It should appear soon (a day or two) at http://www.debian.org/Bugs/db/pa/lsudo.html I don't have a direct url because the bug hasn't been assigned a tracking number yet. The above url should do, and I submitted the bug with a severity level of "Important", so it should be at the top of that page. Thanks, -- Brock Rozen brozen@torah.org Director of Technical Services (410) 602-1350 Project Genesis http://www.torah.org/ --------------------------------------------------------------------------- Date: Wed, 9 Jun 1999 14:12:53 -0500 From: Randy Mclean To: BUGTRAQ@netspace.org Subject: Re: unneeded information in sudo Well I just verified it on FreeBSD. I guess sudo checks if a file exists before it checks the sudoers list. The fact that sudo is suid, it dose have access to check the entire system for files. It seems to me that this is a SLIGHT bug. Even if someone wanted to find the contents of the directory there would basically have to try file name at random or run a program to try different letter combinations. In either case the system will send messages to root with the list of users who attempt to use sudo and who aren^Òt privileged to use sudo. Also couldn^Òt you just change the permissions on the files so normal user couldn't access the files anyhow? At 09:23 PM 6/8/99 +0200, Bencsath Boldizsar wrote: >Sudo (debian , v1.5.6p2-2) tells anyone if a file exists or not. It's not >a very big problem, but when i set a directory _not_ accessible to anyone >but root, I want to make sure, nobody knows what files are in it. >Both executable and not executables- if there is no file: No such file or >directory, if it exists: permission denied if not executable, You are not >in sudoers if executable. > > >> ls -la a >total 4 >drwx------ 2 root root 1024 Jun 8 21:25 . >drwx------ 7 root root 1024 Jun 8 21:22 .. >-rwxr-xr-x 1 root root 1363 Jun 8 21:23 doit >> su - alias >No directory, logging in with HOME=/ >$ /root/a/doit >su: /root/a/doit: Permission denied >$ /root/a/doit2 >su: /root/a/doit2: Permission denied >$ sudo /root/a/doit >alias is not in the sudoers file. This incident will be reported. > >$ sudo /root/a/doit2 >sudo: /root/a/doit2: No such file or directory >$ dpkg -l sudo >... >||/ Name Version Description >+++-===============-==============-======================================== ==== >ii sudo 1.5.6p2-2 Provides limited super user privileges > >> chmod a-x /root/a/doit >> su - alias >No directory, logging in with HOME=/ >$ sudo /root/a/doit >sudo: /root/a/doit: Permission denied >$ sudo /root/a/doit2 >sudo: /root/a/doit2: No such file or directory > > >boldi -- Randy Mclean Security/Network Administrator rmclean@natdoor.com --------------------------------------------------------------------------- Date: Wed, 9 Jun 1999 12:01:15 -0700 From: Samuel Mikes To: BUGTRAQ@netspace.org Subject: unneeded information in sudo >> "Bencsath" == Bencsath Boldizsar writes: Bencsath> Sudo (debian , v1.5.6p2-2) tells anyone if a file exists or Bencsath> not. It's not a very big problem, but when i set a Bencsath> directory _not_ accessible to anyone but root, I want to Bencsath> make sure, nobody knows what files are in it. Both Bencsath> executable and not executables- if there is no file: No Bencsath> such file or directory, if it exists: permission denied if Bencsath> not executable, You are not in sudoers if executable. This problem has been known for over a year -- probably longer. Everyone agrees that it's wrong behavior in sudo; nobody has felt motivated enough to write a patch for it. If you contact sudo-bugs@courtesan.com or sudo-workers (also at courtesan?), they'll tell you all about it. Cheers, -- Sam Mikes smikes@alumni.hmc.edu --------------------------------------------------------------------------- Date: Thu, 10 Jun 1999 14:02:04 -0500 From: Emad El-Haraty To: BUGTRAQ@netspace.org Subject: Re: unneeded information in sudo On Wed, 9 Jun 1999, Samuel Mikes wrote: > >> "Bencsath" == Bencsath Boldizsar writes: > Bencsath> Sudo (debian , v1.5.6p2-2) tells anyone if a file exists or > Bencsath> not. It's not a very big problem, but when i set a > Bencsath> directory _not_ accessible to anyone but root, I want to > Bencsath> make sure, nobody knows what files are in it. Both > Bencsath> executable and not executables- if there is no file: No > Bencsath> such file or directory, if it exists: permission denied if > Bencsath> not executable, You are not in sudoers if executable. > When configuring (at compile time) would setting --disable-path-info stop this problem? here is it's description: --disable-path-info Normally, sudo will tell the user when a command could not be found in their $PATH. Some sites may wish to disable this as it could be used to gather information on the location of executables that the normal user does not have access to. Emad El-Haraty "The best thing about computers is that they fly around the room when you get real mad at them." -- Joe Ely Carrales, III