[Bug 2027581] [NEW] useradd will grand root privileges for admin user
Bugra Aydogar
2027581 at bugs.launchpad.net
Wed Jul 12 13:28:43 UTC 2023
Public bug reported:
Hi,
As part of the Ubuntu Core 20, if a developer creates a user named
either admin or Admin, it will have root privileges by default. I think
that this is a security issue but it requires input from the security
engineers/specialists.
Basically, if you look at the sudoers file under `/etc/sudoers`, you
will realize the following line;
```
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
```
And if someone creates a user by using admin as name, the system provide
root privilege.
```
sudo useradd -s /bin/bash -u 8003 -d /home/Admin --extrausers Admin
iotuc at ubuntu:~$ su Admin
Password:
Admin at ubuntu:/home/iotuc$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied
Admin at ubuntu:/home/iotuc$ sudo cat /etc/sudoers
[sudo] password for Admin:
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
Admin at ubuntu:/home/iotuc$
```
Similarly, if I create a username called aydogar, it does not have root
privilege and this is expected.
```
sudo useradd -s /bin/bash -u 8004 -d /home/aydogar --extrausers aydogar
iotuc at ubuntu:~$ su aydogar
Password:
aydogar at ubuntu:/home/iotuc$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied
aydogar at ubuntu:/home/iotuc$ sudo cat /etc/sudoers
[sudo] password for aydogar:
aydogar is not in the sudoers file. This incident will be reported.
aydogar at ubuntu:/home/iotuc$
```
I think, this is a bug but would love here other ideas and inputs.
** Affects: sudo (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
Hi,
- As part of the Ubuntu Core 20.04, if a developer creates a user named
+ As part of the Ubuntu Core 20, if a developer creates a user named
either admin or Admin, it will have root privileges by default. I think
that this is a security issue but it requires input from the security
engineers/specialists.
Basically, if you look at the sudoers file under `/etc/sudoers`, you
will realize the following line;
```
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
```
- And if someone creates a user by using admin as name, the system provide root privilege.
-
+ And if someone creates a user by using admin as name, the system provide
+ root privilege.
+
```
sudo useradd -s /bin/bash -u 8003 -d /home/Admin --extrausers Admin
iotuc at ubuntu:~$ su Admin
- Password:
+ Password:
Admin at ubuntu:/home/iotuc$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied
Admin at ubuntu:/home/iotuc$ sudo cat /etc/sudoers
- [sudo] password for Admin:
+ [sudo] password for Admin:
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
- Admin at ubuntu:/home/iotuc$
+ Admin at ubuntu:/home/iotuc$
```
Similarly, if I create a username called aydogar, it does not have root
privilege and this is expected.
```
sudo useradd -s /bin/bash -u 8004 -d /home/aydogar --extrausers aydogar
iotuc at ubuntu:~$ su aydogar
- Password:
+ Password:
aydogar at ubuntu:/home/iotuc$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied
aydogar at ubuntu:/home/iotuc$ sudo cat /etc/sudoers
- [sudo] password for aydogar:
+ [sudo] password for aydogar:
aydogar is not in the sudoers file. This incident will be reported.
- aydogar at ubuntu:/home/iotuc$
+ aydogar at ubuntu:/home/iotuc$
```
I think, this is a bug but would love here other ideas and inputs.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/2027581
Title:
useradd will grand root privileges for admin user
Status in sudo package in Ubuntu:
New
Bug description:
Hi,
As part of the Ubuntu Core 20, if a developer creates a user named
either admin or Admin, it will have root privileges by default. I
think that this is a security issue but it requires input from the
security engineers/specialists.
Basically, if you look at the sudoers file under `/etc/sudoers`, you
will realize the following line;
```
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
```
And if someone creates a user by using admin as name, the system
provide root privilege.
```
sudo useradd -s /bin/bash -u 8003 -d /home/Admin --extrausers Admin
iotuc at ubuntu:~$ su Admin
Password:
Admin at ubuntu:/home/iotuc$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied
Admin at ubuntu:/home/iotuc$ sudo cat /etc/sudoers
[sudo] password for Admin:
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
Admin at ubuntu:/home/iotuc$
```
Similarly, if I create a username called aydogar, it does not have
root privilege and this is expected.
```
sudo useradd -s /bin/bash -u 8004 -d /home/aydogar --extrausers aydogar
iotuc at ubuntu:~$ su aydogar
Password:
aydogar at ubuntu:/home/iotuc$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied
aydogar at ubuntu:/home/iotuc$ sudo cat /etc/sudoers
[sudo] password for aydogar:
aydogar is not in the sudoers file. This incident will be reported.
aydogar at ubuntu:/home/iotuc$
```
I think, this is a bug but would love here other ideas and inputs.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2027581/+subscriptions
More information about the foundations-bugs
mailing list