Date: Tue, 8 Jun 1999 21:23:55 +0200
From: Bencsath Boldizsar <boldi@BUDAPEST.HU>
To: BUGTRAQ@netspace.org
Subject: unneeded information in sudo

Sudo (debian , v1.5.6p2-2) tells anyone if a file exists or not. It's not
a very big problem, but when i set a directory _not_ accessible to anyone
but root, I want to make sure, nobody knows what files are in it.
Both executable and not executables- if there is no file: No such file or
directory, if it exists: permission denied if not executable, You are not
in sudoers if executable.


> ls -la a
total 4
drwx------   2 root     root         1024 Jun  8 21:25 .
drwx------   7 root     root         1024 Jun  8 21:22 ..
-rwxr-xr-x   1 root     root         1363 Jun  8 21:23 doit
> su - alias
No directory, logging in with HOME=/
$ /root/a/doit
su: /root/a/doit: Permission denied
$ /root/a/doit2
su: /root/a/doit2: Permission denied
$ sudo /root/a/doit
alias is not in the sudoers file.  This incident will be reported.

$ sudo /root/a/doit2
sudo: /root/a/doit2: No such file or directory
$ dpkg -l sudo
....
||/ Name            Version        Description
+++-===============-==============-============================================
ii  sudo            1.5.6p2-2      Provides limited super user privileges

> chmod a-x /root/a/doit
> su - alias
No directory, logging in with HOME=/
$ sudo /root/a/doit
sudo: /root/a/doit: Permission denied
$ sudo /root/a/doit2
sudo: /root/a/doit2: No such file or directory


boldi

---------------------------------------------------------------------------

Date: Thu, 10 Jun 1999 09:36:50 +0300
From: Brock Rozen <brozen@TORAH.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: unneeded information in sudo

I just submitted this to the Debian BTS at submit@bugs.debian.org

It should appear soon (a day or two) at
http://www.debian.org/Bugs/db/pa/lsudo.html

I don't have a direct url because the bug hasn't been assigned a tracking
number yet. The above url should do, and I submitted the bug with a
severity level of "Important", so it should be at the top of that page.

Thanks,

--
Brock Rozen                                              brozen@torah.org
Director of Technical Services                             (410) 602-1350
Project Genesis                                     http://www.torah.org/

---------------------------------------------------------------------------

Date: Wed, 9 Jun 1999 14:12:53 -0500
From: Randy Mclean <rmclean@NATDOOR.COM>
To: BUGTRAQ@netspace.org
Subject: Re: unneeded information in sudo

Well I just verified it on FreeBSD. I guess sudo checks if a file exists
before it checks the sudoers list. The fact that sudo is suid, it dose have
access to check the entire system for files. It seems to me that this is a
SLIGHT bug. Even if someone wanted to find the contents of the directory
there would basically have to try file name at random or run a program to
try different letter combinations. In either case the system will send
messages to root  with the list of users who attempt to use sudo and who
aren^Òt privileged to use sudo. Also couldn^Òt you just change the
permissions on the files so normal user couldn't access the files anyhow?

At 09:23 PM 6/8/99 +0200, Bencsath Boldizsar wrote:
>Sudo (debian , v1.5.6p2-2) tells anyone if a file exists or not. It's not
>a very big problem, but when i set a directory _not_ accessible to anyone
>but root, I want to make sure, nobody knows what files are in it.
>Both executable and not executables- if there is no file: No such file or
>directory, if it exists: permission denied if not executable, You are not
>in sudoers if executable.
>
>
>> ls -la a
>total 4
>drwx------   2 root     root         1024 Jun  8 21:25 .
>drwx------   7 root     root         1024 Jun  8 21:22 ..
>-rwxr-xr-x   1 root     root         1363 Jun  8 21:23 doit
>> su - alias
>No directory, logging in with HOME=/
>$ /root/a/doit
>su: /root/a/doit: Permission denied
>$ /root/a/doit2
>su: /root/a/doit2: Permission denied
>$ sudo /root/a/doit
>alias is not in the sudoers file.  This incident will be reported.
>
>$ sudo /root/a/doit2
>sudo: /root/a/doit2: No such file or directory
>$ dpkg -l sudo
>...
>||/ Name            Version        Description
>+++-===============-==============-========================================
====
>ii  sudo            1.5.6p2-2      Provides limited super user privileges
>
>> chmod a-x /root/a/doit
>> su - alias
>No directory, logging in with HOME=/
>$ sudo /root/a/doit
>sudo: /root/a/doit: Permission denied
>$ sudo /root/a/doit2
>sudo: /root/a/doit2: No such file or directory
>
>
>boldi

--
Randy Mclean
Security/Network Administrator
rmclean@natdoor.com

---------------------------------------------------------------------------

Date: Wed, 9 Jun 1999 12:01:15 -0700
From: Samuel Mikes <smikes@alumni.hmc.edu>
To: BUGTRAQ@netspace.org
Subject: unneeded information in sudo

>> "Bencsath" == Bencsath Boldizsar <boldi@BUDAPEST.HU> writes:
Bencsath> Sudo (debian , v1.5.6p2-2) tells anyone if a file exists or
Bencsath> not. It's not a very big problem, but when i set a
Bencsath> directory _not_ accessible to anyone but root, I want to
Bencsath> make sure, nobody knows what files are in it.  Both
Bencsath> executable and not executables- if there is no file: No
Bencsath> such file or directory, if it exists: permission denied if
Bencsath> not executable, You are not in sudoers if executable.

  This problem has been known for over a year -- probably longer.
Everyone agrees that it's wrong behavior in sudo; nobody has felt
motivated enough to write a patch for it.

  If you contact sudo-bugs@courtesan.com or sudo-workers (also at
courtesan?), they'll tell you all about it.

Cheers,
--
Sam Mikes
smikes@alumni.hmc.edu

---------------------------------------------------------------------------

Date: Thu, 10 Jun 1999 14:02:04 -0500
From: Emad El-Haraty <elharaty@UTDALLAS.EDU>
To: BUGTRAQ@netspace.org
Subject: Re: unneeded information in sudo

On Wed, 9 Jun 1999, Samuel Mikes wrote:

> >> "Bencsath" == Bencsath Boldizsar <boldi@BUDAPEST.HU> writes:
> Bencsath> Sudo (debian , v1.5.6p2-2) tells anyone if a file exists or
> Bencsath> not. It's not a very big problem, but when i set a
> Bencsath> directory _not_ accessible to anyone but root, I want to
> Bencsath> make sure, nobody knows what files are in it.  Both
> Bencsath> executable and not executables- if there is no file: No
> Bencsath> such file or directory, if it exists: permission denied if
> Bencsath> not executable, You are not in sudoers if executable.
>
When configuring (at compile time) would setting --disable-path-info
stop this problem?

here is it's description:
  --disable-path-info
        Normally, sudo will tell the user when a command could not be found
        in their $PATH.  Some sites may wish to disable this as it could
        be used to gather information on the location of executables that
        the normal user does not have access to.



 Emad El-Haraty
 "The best thing about computers is that they fly around the room when you
  get real mad at them."
                    -- Joe Ely Carrales, III