All version of Centrify Infrastructure ServiceQuestion:
Is Centrify dzdo affected by the vulnerability CVE-2019-14287?
Centrify dzdo has its own policy settings which is the DirectAuthorize Command settings, in which we set the dzdo_runas for the user/group runas settings of the command, such setting is specific, allowing only exact name / id / SELF / ALL.
While dzdo will always check the validity of the target user / group if they are not SELF / ALL
, so Centrify dzdo will not fail into such breach trick.
As a quick example below:
- We can:
Name Command Path Run As Auth Exec Source Roles
--------------- ---------- --------- ------- ----- ----- --------------------
id/ng_child id User # Self Yes UNIX Login/ng_child
- While setup
smk2k12r2-test1 ALL=(ALL, !root) PASSWD: /usr/bin/id
- Now check on the sudo and dzdo version:
Sudo version 1.8.23
Dzdo version 5.6.0-209(based on Sudo version 1.8.20p2)
Due to the vulnerability,
sudo -u \#-1 id
[sudo] password for smk2k12r2-test1:
uid=0(root) gid=10000(unixgroup) groups=10000(unixgroup) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
- As shown below, dzdo is not affected:
dzdo -u \#-1 id
Sorry, user smk2k12r2-test1 is not allowed to execute '/bin/id' as #-1 on numenor.
If we look into detail, we can see dzdo did real id checking for the UID and denied as below:
Oct 15 13:39:14 localhost dzdo: DEBUG dz.rights match(command = /bin/id, binary = /bin/id, as = #-1, checkSelf = false) against pattern = id
Oct 15 13:39:14 localhost dzdo: DEBUG dz.rights requested user #-1 not allowed for this command object