My friend has found a bug with sudo.
His organization has Linux laptops with no root access to users. Policy pushing is through Puppet.
But doing
sudo sudo
twice he is able to access root.
Do you guys have any clue, how's that possible, usually
sudo su
is restricted.
It's unlikely to be a bug.
Can you paste your /etc/sudoers file into the thread wrapped in
```text
&
```
tags please. It would be useful to know the Linux supplier and version and the sudo version:-
uname -a
sudo -V
Robin
cat /etc/sudoers
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
XXXXXX ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
sudo -v
Sudo version 1.8.3p1
uname -a
Linux XXXXXXXXX.com 3.2.0-54-generic #82-Ubuntu SMP Tue Sep 10 20:08:42 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
Is your friend's account a member of the admin group?
The group designation is usually preceded by a percent sign as in the way it appears with the admin group. The comment preceding the XXXXXX states that it's a group but it's missing the percent sign.
Also, the following is from the sudoers man page:
root_sudo
If set, root is allowed to run sudo too. Disabling this prevents users from �chaining� sudo commands to
get a root shell by doing something like �sudo sudo /bin/sh�. Note, however, that turning off root_sudo
will also prevent root from running sudoedit. Disabling root_sudo provides no real additional security;
it exists purely for historical reasons. This flag is on by default.
From this /etc/sudoers, either you have everything or nothing. If you can sudo sudo aaa , then you can just sudo aaa
To have any access, one must either be in the admin group or be the named user obscured by XXXXXX unless this is another group as the comment suggests. If you qualify under either, then you have full access. If you do not, you have no access.
As a simple test, I created a new user on a test server without any sudo rules and got the following:-
[RBATTE2@Test-RHEL-63 ~]$ sudo ls -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for RBATTE2:
RBATTE2 is not in the sudoers file. This incident will be reported.
[RBATTE2@Test-RHEL-63 ~]$ sudo sudo ls -l
[sudo] password for RBATTE2:
RBATTE2 is not in the sudoers file. This incident will be reported.
[RBATTE2@Test-RHEL-63 ~]$ ls -l /etc/sudoers
-r--r-----. 1 root root 4002 Mar 1 2012 /etc/sudoers
[RBATTE2@Test-RHEL-63 ~]$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied
[RBATTE2@Test-RHEL-63 ~]$
Is this the /etc/sudoers file that is being referenced by the user in question? As you can see, I'm not even allowed to read the file, as this could give an attacker a target.
Robin
XXXXX is the User ID which I have hidden for the sake of confidentiality, in sudoers it's not explicitly mentioned if it is a part of group or not(may be it done remotely through puppet).
But I tested it on RHEL machine by blocking
su
by adding
!/bin/su
, and
sudo sudo su -
worked in it also, so it accounts to a bug with sudoers, or blocking sudo will require some other alternative.
I suspect "sudo" is the name you have XXXXXXed out. That would explain "sudo sudo" working.
No 
It's not that.
Could you post us the output for the user in question doing these, even if they are just errors as they can be good too:-
id
id -Gn
sudo id
sudo sudo id
ls -l `whence sudo`
sudo -l
sudo sudo -l
sudo -V
sudo sudo -V | grep Configure
It might give us a bit more if a clue. I cannot replicate your observations.
Robin