What bad things could happen if we don't use sudoedit?

Question

We know it's safer* to use sudoedit, but what bad things can happen if we have the following in sudoers?

Cmnd_Alias FOO = /bin/ed, /usr/bin/ed, /usr/bin/vi
foouser LOCALHOST = NOPASSWD: NOEXEC: FOO

Can the "foouser" escape to root prompt? - of course besides that he could now edit the /etc/shadow file to put a custom pwd hash to the root user to become root in about 3 seconds..

Maybe some magic using LD_PRELOAD with ed? How exactly?

*=sudo ed would run as root. but sudoedit would run as the given user, the edited file will be copied before/after editing it.

Answer 1

Can the "foouser" escape to root prompt?

Presumably foouser can now open any system binary and "edit" it into something else completely, leaving whatever kind of security hole foouser can dream up. This has particular potential if you do it to a setuid binary, such as passwd, because it means a non-root user could use it do privileged things it was not intended to do.

besides that he could now edit the /etc/shadow file to put a custom pwd hash

Or just delete the hash, in which case you don't need any password to log in as root.

Answer 2

There is an incredible amount of files that one can modify to "install a backdoor" on the system (editing /etc/group is the easiest, but there are lots of more stealthy way to achieve it). It is also possible to disable this noexec protection by editing /etc/sudoers file! I wouldn't rely on NOEXEC to make "sudo $editor" secure. it is not secure. DO use sudoedit instead (very carefully because lots of files can be used to gain root privileges !)

Futhermore, sudo's noexec wrapper is tracking a (slowly) moving target (see sudo_noexec.c history and The difference between fork(), vfork(), exec() and clone()). So the sudo_noexec wrapper might not protect you on some Unix variant and it may not restrict new system calls (assuming that your editor use those new API).

To answer specifically you question about LD_PRELOAD, the sudo configuration file enables env_reset by default to cause commands to be executed with a new, minimal environment. So I doubt it could be exploited.

P.S. I have posted a similar question https://unix.stackexchange.com/q/200411/16640 !

Answer 3

The problem isn't 'what could happen' as much as what couldn't happen. I mean, vi is quite a powerful tool, and using it as a privileged user gives many potential avenues of attack and exploit.

And that's why you shouldn't do it - because you're playing 'block the mousehole' in a big old house.

Anything interactive is 'risky'. Avenues of attack:

• Shell escapes - NOEXEC helps here.
• Editing system config files - there's a bunch of 'obvious' culprits, like /etc/passwd etc. but there's also places where you could, for example, insert a CGI script into an apache instance and privilege escalate that route. Or modify a script called by roots crontab. (This is particularly entertaining if they have it NFS mounted!)
• editing system scripts (like the contents of /etc/rc).
• Symlink traversal attacks - create a symlink to /etc/passwd and then edit that to bypass any sort of file whitelisting.

You might as well just give NOPASSWD: ALL because all you're really relying on is that your users aren't going to do something dumb as root.

Add on the additional point - lots of people have favourite editors. I've used ed when I had to, and mostly use vim these days. But not everyone likes them. One of the big advantages of sudoedit is that it lets you use whatever.