Our security team did a test by adding below line to sudoers file .

testuser ALL = NOPASSWD: /usr/bin/vi

when "testuser" runs  command  "sudo vi <file> " and when user escapes to shell from vi  by typing  :!ksh , it provides root window to test user . 
Is there any solution for this issue.  The reason we are upgrading  to fix vulnerability but it is creating another security issue. Any help or suggestion to bypass this problem  is appreciated.

Another issue, after the upgrade, the new suderos file had entry  @includedir /etc/sudoers.d  before upgrade it was #includedir /etc/sudoers.d .  The # sign is changed to@ ..This is  not serious issue, I can change back to # sign, but it is the upgraded version uses 
#includedir /etc/sudoers.d

Thanks



​​​​​

------------------------------
Nag N
------------------------------

On Tue, Mar 09, 2021 at 02:12:04AM +0000, Nag N via IBM Community wrote:
> Our security team did a test by adding below line to sudoers file .
>
> testuser ALL = NOPASSWD: /usr/bin/vi
>
> when "testuser" runs command "sudo vi <file> " and when user escapes
> to shell from vi by typing :!ksh , it provides root window to test
> user .

That's not a sudo issue, that is vi. Basically you assigned the test
user access as root to an insecure application. The fix? Don't assign
root access to insecure applications to users.

> Is there any solution for this issue. The reason we are upgrading
> to fix vulnerability but it is creating another security issue. Any
> help or suggestion to bypass this problem is appreciated.

You're upgrading Sudo to fix a problem with the Sudo binary. The
solution is to not assign vi to users. This vi issue is always
present, it was not introduced by the upgrade.

> Another issue, after the upgrade, the new suderos file had entry
> @includedir /etc/sudoers.d before upgrade it was #includedir
> /etc/sudoers.d . The # sign is changed to@ ..This is not serious
> issue, I can change back to # sign, but it is the upgraded version
> uses #includedir /etc/sudoers.d

Always backup your configuration files.


------------------------------------------------------------------
Russell Adams Russell.Adams@AdamsSystems.nl
Principal Consultant Adams Systems Consultancy
http://adamssystems.nl/


Original Message:
Sent: 3/8/2021 9:12:00 PM
From: Nag N
Subject: Security hole after upgrading to "sudo_noldap-1.9.5p2-1.ppc"

Our security team did a test by adding below line to sudoers file .

testuser ALL = NOPASSWD: /usr/bin/vi

when "testuser" runs  command  "sudo vi <file> " and when user escapes to shell from vi  by typing  :!ksh , it provides root window to test user . 
Is there any solution for this issue.  The reason we are upgrading  to fix vulnerability but it is creating another security issue. Any help or suggestion to bypass this problem  is appreciated.

Another issue, after the upgrade, the new suderos file had entry  @includedir /etc/sudoers.d  before upgrade it was #includedir /etc/sudoers.d .  The # sign is changed to@ ..This is  not serious issue, I can change back to # sign, but it is the upgraded version uses 
#includedir /etc/sudoers.d

Thanks



​​​​​

------------------------------
Nag N
------------------------------
</file>

Hi,

just add the noshells-option to each vi in sudoers:

testuser ALL = NOPASSWD: /usr/bin/vi, !SHELLS

this still allows to exit from vi, but only to the calling user

regards,

------------------------------
Juergen Maehlmann
------------------------------

Original Message:
Sent: Tue March 09, 2021 03:29 AM
From: Russell Adams
Subject: Security hole after upgrading to "sudo_noldap-1.9.5p2-1.ppc"

On Tue, Mar 09, 2021 at 02:12:04AM +0000, Nag N via IBM Community wrote:
> Our security team did a test by adding below line to sudoers file .
>
> testuser ALL = NOPASSWD: /usr/bin/vi
>
> when "testuser" runs command "sudo vi <file> " and when user escapes
> to shell from vi by typing :!ksh , it provides root window to test
> user .

That's not a sudo issue, that is vi. Basically you assigned the test
user access as root to an insecure application. The fix? Don't assign
root access to insecure applications to users.

> Is there any solution for this issue. The reason we are upgrading
> to fix vulnerability but it is creating another security issue. Any
> help or suggestion to bypass this problem is appreciated.

You're upgrading Sudo to fix a problem with the Sudo binary. The
solution is to not assign vi to users. This vi issue is always
present, it was not introduced by the upgrade.

> Another issue, after the upgrade, the new suderos file had entry
> @includedir /etc/sudoers.d before upgrade it was #includedir
> /etc/sudoers.d . The # sign is changed to@ ..This is not serious
> issue, I can change back to # sign, but it is the upgraded version
> uses #includedir /etc/sudoers.d

Always backup your configuration files.


------------------------------------------------------------------
Russell Adams Russell.Adams@AdamsSystems.nl
Principal Consultant Adams Systems Consultancy
http://adamssystems.nl/


Original Message:
Sent: 3/8/2021 9:12:00 PM
From: Nag N
Subject: Security hole after upgrading to "sudo_noldap-1.9.5p2-1.ppc"

Our security team did a test by adding below line to sudoers file .

testuser ALL = NOPASSWD: /usr/bin/vi

when "testuser" runs  command  "sudo vi <file> " and when user escapes to shell from vi  by typing  :!ksh , it provides root window to test user . 
Is there any solution for this issue.  The reason we are upgrading  to fix vulnerability but it is creating another security issue. Any help or suggestion to bypass this problem  is appreciated.

Another issue, after the upgrade, the new suderos file had entry  @includedir /etc/sudoers.d  before upgrade it was #includedir /etc/sudoers.d .  The # sign is changed to@ ..This is  not serious issue, I can change back to # sign, but it is the upgraded version uses 
#includedir /etc/sudoers.d

Thanks



​​​​​

------------------------------
Nag N
------------------------------
</file>

On Tue, Mar 09, 2021 at 08:56:04AM +0000, Juergen Maehlmann via IBM Community wrote:
> just add the noshells-option to each vi in sudoers:
>
> testuser ALL = NOPASSWD: /usr/bin/vi, !SHELLS
>
> this still allows to exit from vi, but only to the calling user

On Linux with vim you could pass -z (restricted). Sudo's NOEXEC
directive might work, though it only works on dynamically linked
executables. sudoedit is also an option.

Basically that sudo/vi combo is quite common, there are many
workarounds. On the other hand, I feel like when they added the sudo
line it was already known to fail.

On the other hand, maybe your security team would prefer you not to
run unsupported open source software on AIX. Consider purchasing
commercial support for Sudo, and they could guide you to securing it.

------------------------------------------------------------------
Russell Adams Russell.Adams@AdamsSystems.nl
Principal Consultant Adams Systems Consultancy
http://adamssystems.nl/


Original Message:
Sent: 3/9/2021 3:56:00 AM
From: Juergen Maehlmann
Subject: RE: Security hole after upgrading to "sudo_noldap-1.9.5p2-1.ppc"

Hi,

just add the noshells-option to each vi in sudoers:

testuser ALL = NOPASSWD: /usr/bin/vi, !SHELLS

this still allows to exit from vi, but only to the calling user

regards,

------------------------------
Juergen Maehlmann
------------------------------

Original Message:
Sent: Tue March 09, 2021 03:29 AM
From: Russell Adams
Subject: Security hole after upgrading to "sudo_noldap-1.9.5p2-1.ppc"

On Tue, Mar 09, 2021 at 02:12:04AM +0000, Nag N via IBM Community wrote:
> Our security team did a test by adding below line to sudoers file .
>
> testuser ALL = NOPASSWD: /usr/bin/vi
>
> when "testuser" runs command "sudo vi <file> " and when user escapes
> to shell from vi by typing :!ksh , it provides root window to test
> user .

That's not a sudo issue, that is vi. Basically you assigned the test
user access as root to an insecure application. The fix? Don't assign
root access to insecure applications to users.

> Is there any solution for this issue. The reason we are upgrading
> to fix vulnerability but it is creating another security issue. Any
> help or suggestion to bypass this problem is appreciated.

You're upgrading Sudo to fix a problem with the Sudo binary. The
solution is to not assign vi to users. This vi issue is always
present, it was not introduced by the upgrade.

> Another issue, after the upgrade, the new suderos file had entry
> @includedir /etc/sudoers.d before upgrade it was #includedir
> /etc/sudoers.d . The # sign is changed to@ ..This is not serious
> issue, I can change back to # sign, but it is the upgraded version
> uses #includedir /etc/sudoers.d

Always backup your configuration files.


------------------------------------------------------------------
Russell Adams Russell.Adams@AdamsSystems.nl
Principal Consultant Adams Systems Consultancy
http://adamssystems.nl/


Original Message:
Sent: 3/8/2021 9:12:00 PM
From: Nag N
Subject: Security hole after upgrading to "sudo_noldap-1.9.5p2-1.ppc"

Our security team did a test by adding below line to sudoers file .

testuser ALL = NOPASSWD: /usr/bin/vi

when "testuser" runs  command  "sudo vi <file> " and when user escapes to shell from vi  by typing  :!ksh , it provides root window to test user . 
Is there any solution for this issue.  The reason we are upgrading  to fix vulnerability but it is creating another security issue. Any help or suggestion to bypass this problem  is appreciated.

Another issue, after the upgrade, the new suderos file had entry  @includedir /etc/sudoers.d  before upgrade it was #includedir /etc/sudoers.d .  The # sign is changed to@ ..This is  not serious issue, I can change back to # sign, but it is the upgraded version uses 
#includedir /etc/sudoers.d

Thanks



​​​​​

------------------------------
Nag N
------------------------------
</file>

yes , Thanks.  I changed !SHELLS to !SHELL  to make it work .

------------------------------
Nag N
------------------------------

Original Message:
Sent: Tue March 09, 2021 03:56 AM
From: Juergen Maehlmann
Subject: Security hole after upgrading to "sudo_noldap-1.9.5p2-1.ppc"

Hi,

just add the noshells-option to each vi in sudoers:

testuser ALL = NOPASSWD: /usr/bin/vi, !SHELLS

this still allows to exit from vi, but only to the calling user

regards,

------------------------------
Juergen Maehlmann

Original Message:
Sent: Tue March 09, 2021 03:29 AM
From: Russell Adams
Subject: Security hole after upgrading to "sudo_noldap-1.9.5p2-1.ppc"

On Tue, Mar 09, 2021 at 02:12:04AM +0000, Nag N via IBM Community wrote:
> Our security team did a test by adding below line to sudoers file .
>
> testuser ALL = NOPASSWD: /usr/bin/vi
>
> when "testuser" runs command "sudo vi <file> " and when user escapes
> to shell from vi by typing :!ksh , it provides root window to test
> user .

That's not a sudo issue, that is vi. Basically you assigned the test
user access as root to an insecure application. The fix? Don't assign
root access to insecure applications to users.

> Is there any solution for this issue. The reason we are upgrading
> to fix vulnerability but it is creating another security issue. Any
> help or suggestion to bypass this problem is appreciated.

You're upgrading Sudo to fix a problem with the Sudo binary. The
solution is to not assign vi to users. This vi issue is always
present, it was not introduced by the upgrade.

> Another issue, after the upgrade, the new suderos file had entry
> @includedir /etc/sudoers.d before upgrade it was #includedir
> /etc/sudoers.d . The # sign is changed to@ ..This is not serious
> issue, I can change back to # sign, but it is the upgraded version
> uses #includedir /etc/sudoers.d

Always backup your configuration files.


------------------------------------------------------------------
Russell Adams Russell.Adams@AdamsSystems.nl
Principal Consultant Adams Systems Consultancy
http://adamssystems.nl/


Original Message:
Sent: 3/8/2021 9:12:00 PM
From: Nag N
Subject: Security hole after upgrading to "sudo_noldap-1.9.5p2-1.ppc"

Our security team did a test by adding below line to sudoers file .

testuser ALL = NOPASSWD: /usr/bin/vi

when "testuser" runs  command  "sudo vi <file> " and when user escapes to shell from vi  by typing  :!ksh , it provides root window to test user . 
Is there any solution for this issue.  The reason we are upgrading  to fix vulnerability but it is creating another security issue. Any help or suggestion to bypass this problem  is appreciated.

Another issue, after the upgrade, the new suderos file had entry  @includedir /etc/sudoers.d  before upgrade it was #includedir /etc/sudoers.d .  The # sign is changed to@ ..This is  not serious issue, I can change back to # sign, but it is the upgraded version uses 
#includedir /etc/sudoers.d

Thanks



​​​​​

------------------------------
Nag N
------------------------------
</file>

There is a gotcha.
You've forbidden user from forking the shell used as users login shell, which can be for example /usr/bin/ksh, but the user can run as root /bin/ksh, which is the same shell, different path, ergo different command to sudo, because /bin is symlink to /usr/bin. Also the user can fork /bin/sh, /usr/bin/sh, /bin/csh, /usr/bin/csh etc as root user.
In another operating system in sudoers manual, the command alias SHELLS is defined as

Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
/usr/local/bin/tcsh, /usr/bin/rsh,\
/usr/local/bin/zsh

Best regards,
Esa

------------------------------
Esa Kärkkäinen
------------------------------

Original Message:
Sent: Wed March 10, 2021 12:20 PM
From: Nag N
Subject: Security hole after upgrading to "sudo_noldap-1.9.5p2-1.ppc"

yes , Thanks.  I changed !SHELLS to !SHELL  to make it work .

------------------------------
Nag N

Original Message:
Sent: Tue March 09, 2021 03:56 AM
From: Juergen Maehlmann
Subject: Security hole after upgrading to "sudo_noldap-1.9.5p2-1.ppc"

Hi,

just add the noshells-option to each vi in sudoers:

testuser ALL = NOPASSWD: /usr/bin/vi, !SHELLS

this still allows to exit from vi, but only to the calling user

regards,

------------------------------
Juergen Maehlmann

Original Message:
Sent: Tue March 09, 2021 03:29 AM
From: Russell Adams
Subject: Security hole after upgrading to "sudo_noldap-1.9.5p2-1.ppc"

On Tue, Mar 09, 2021 at 02:12:04AM +0000, Nag N via IBM Community wrote:
> Our security team did a test by adding below line to sudoers file .
>
> testuser ALL = NOPASSWD: /usr/bin/vi
>
> when "testuser" runs command "sudo vi <file> " and when user escapes
> to shell from vi by typing :!ksh , it provides root window to test
> user .

That's not a sudo issue, that is vi. Basically you assigned the test
user access as root to an insecure application. The fix? Don't assign
root access to insecure applications to users.

> Is there any solution for this issue. The reason we are upgrading
> to fix vulnerability but it is creating another security issue. Any
> help or suggestion to bypass this problem is appreciated.

You're upgrading Sudo to fix a problem with the Sudo binary. The
solution is to not assign vi to users. This vi issue is always
present, it was not introduced by the upgrade.

> Another issue, after the upgrade, the new suderos file had entry
> @includedir /etc/sudoers.d before upgrade it was #includedir
> /etc/sudoers.d . The # sign is changed to@ ..This is not serious
> issue, I can change back to # sign, but it is the upgraded version
> uses #includedir /etc/sudoers.d

Always backup your configuration files.


------------------------------------------------------------------
Russell Adams Russell.Adams@AdamsSystems.nl
Principal Consultant Adams Systems Consultancy
http://adamssystems.nl/


Original Message:
Sent: 3/8/2021 9:12:00 PM
From: Nag N
Subject: Security hole after upgrading to "sudo_noldap-1.9.5p2-1.ppc"

Our security team did a test by adding below line to sudoers file .

testuser ALL = NOPASSWD: /usr/bin/vi

when "testuser" runs  command  "sudo vi <file> " and when user escapes to shell from vi  by typing  :!ksh , it provides root window to test user . 
Is there any solution for this issue.  The reason we are upgrading  to fix vulnerability but it is creating another security issue. Any help or suggestion to bypass this problem  is appreciated.

Another issue, after the upgrade, the new suderos file had entry  @includedir /etc/sudoers.d  before upgrade it was #includedir /etc/sudoers.d .  The # sign is changed to@ ..This is  not serious issue, I can change back to # sign, but it is the upgraded version uses 
#includedir /etc/sudoers.d

Thanks



​​​​​

------------------------------
Nag N
------------------------------
</file>

Thanks Russell for the details.

------------------------------
Nag N
------------------------------

Original Message:
Sent: Tue March 09, 2021 03:29 AM
From: Russell Adams
Subject: Security hole after upgrading to "sudo_noldap-1.9.5p2-1.ppc"

On Tue, Mar 09, 2021 at 02:12:04AM +0000, Nag N via IBM Community wrote:
> Our security team did a test by adding below line to sudoers file .
>
> testuser ALL = NOPASSWD: /usr/bin/vi
>
> when "testuser" runs command "sudo vi <file> " and when user escapes
> to shell from vi by typing :!ksh , it provides root window to test
> user .

That's not a sudo issue, that is vi. Basically you assigned the test
user access as root to an insecure application. The fix? Don't assign
root access to insecure applications to users.

> Is there any solution for this issue. The reason we are upgrading
> to fix vulnerability but it is creating another security issue. Any
> help or suggestion to bypass this problem is appreciated.

You're upgrading Sudo to fix a problem with the Sudo binary. The
solution is to not assign vi to users. This vi issue is always
present, it was not introduced by the upgrade.

> Another issue, after the upgrade, the new suderos file had entry
> @includedir /etc/sudoers.d before upgrade it was #includedir
> /etc/sudoers.d . The # sign is changed to@ ..This is not serious
> issue, I can change back to # sign, but it is the upgraded version
> uses #includedir /etc/sudoers.d

Always backup your configuration files.


------------------------------------------------------------------
Russell Adams Russell.Adams@AdamsSystems.nl
Principal Consultant Adams Systems Consultancy
http://adamssystems.nl/


Original Message:
Sent: 3/8/2021 9:12:00 PM
From: Nag N
Subject: Security hole after upgrading to "sudo_noldap-1.9.5p2-1.ppc"

Our security team did a test by adding below line to sudoers file .

testuser ALL = NOPASSWD: /usr/bin/vi

when "testuser" runs  command  "sudo vi <file> " and when user escapes to shell from vi  by typing  :!ksh , it provides root window to test user . 
Is there any solution for this issue.  The reason we are upgrading  to fix vulnerability but it is creating another security issue. Any help or suggestion to bypass this problem  is appreciated.

Another issue, after the upgrade, the new suderos file had entry  @includedir /etc/sudoers.d  before upgrade it was #includedir /etc/sudoers.d .  The # sign is changed to@ ..This is  not serious issue, I can change back to # sign, but it is the upgraded version uses 
#includedir /etc/sudoers.d

Thanks



​​​​​

------------------------------
Nag N
------------------------------
</file>

Allowing the use of vi via sudo is a well know security issue, it's been around for years.  Your security team was possibly testing your knowlage of secure sudo configurations.  The use of vi or any other program that allows exit to a shell whould never should never be allowed in a sudo configuration.

------------------------------
Phill Rowbottom
------------------------------

Original Message:
Sent: Mon March 08, 2021 09:12 PM
From: Nag N
Subject: Security hole after upgrading to "sudo_noldap-1.9.5p2-1.ppc"

Our security team did a test by adding below line to sudoers file .

testuser ALL = NOPASSWD: /usr/bin/vi

when "testuser" runs  command  "sudo vi <file> " and when user escapes to shell from vi  by typing  :!ksh , it provides root window to test user . 
Is there any solution for this issue.  The reason we are upgrading  to fix vulnerability but it is creating another security issue. Any help or suggestion to bypass this problem  is appreciated.

Another issue, after the upgrade, the new suderos file had entry  @includedir /etc/sudoers.d  before upgrade it was #includedir /etc/sudoers.d .  The # sign is changed to@ ..This is  not serious issue, I can change back to # sign, but it is the upgraded version uses 
#includedir /etc/sudoers.d

Thanks



​​​​​

------------------------------
Nag N
------------------------------