[Bug 2027581] Re: useradd grants root privileges to admin user

Thu Jul 13 08:47:25 UTC 2023

On UbuntuCore the default user added by console-conf is automatically
granted passwordless sudo.

the /etc/group file is on a readonly filesystem and contains the sudo
group, this usually prevents you from accidentially adding extra sudo
users (UbuntuCore exclusively uses /var/lib/extrausers for addtional
users and snapd (being the management authority) normally creates
snippets in /etc/sudoers.d on a per user basis)

in earlier UbuntuCore releases the admin group still existed in the
readonly /etc/group so adding such a user would have been prevented by
the readonly state of the file.

now you can unconditionally create such a user and automatically get
sudo privs without having to go through a system-user assertion managed
by snapd (which is the only process that can create snippets in
/etc/sudoers.d on these systems)

if not considered a security hole (due to the fact that you can
circumvent the documented locked down user creation process via system-
user-assertions for this type of systems) this is at least a heavy
inconsistency ... we should either add an admin group to the core snaps
readonly /etc/group or wipe the admin line from sudoers so we match the
documented behavior.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/2027581

Title:
  useradd grants root privileges to admin user

Status in sudo package in Ubuntu:
  New

Bug description:
  Hi,

  As part of the Ubuntu Core 20, if a developer creates a user named
  either admin or Admin, it will have  root privileges by default. I
  think that this is a security issue but it requires input from the
  security engineers/specialists.

  Basically, if you look at the sudoers file under `/etc/sudoers`, you
  will realize the following line;

  ```
  # Members of the admin group may gain root privileges
  %admin ALL=(ALL) ALL
  ```

  And if someone creates a user by using admin as name, the system
  provide root privilege.

  ```
  sudo useradd -s /bin/bash -u 8003 -d /home/Admin --extrausers Admin
  iotuc at ubuntu:~$ su Admin
  Password:
  Admin at ubuntu:/home/iotuc$ cat /etc/sudoers
  cat: /etc/sudoers: Permission denied
  Admin at ubuntu:/home/iotuc$ sudo cat /etc/sudoers
  [sudo] password for Admin:
  #
  # This file MUST be edited with the 'visudo' command as root.
  #
  # Please consider adding local content in /etc/sudoers.d/ instead of
  # directly modifying this file.
  #
  # See the man page for details on how to write a sudoers file.
  #
  Defaults    env_reset
  Defaults    mail_badpass
  Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
  # Host alias specification
  # User alias specification
  # Cmnd alias specification
  # User privilege specification
  root    ALL=(ALL:ALL) ALL
  # Members of the admin group may gain root privileges
  %admin ALL=(ALL) ALL
  # Allow members of group sudo to execute any command
  %sudo    ALL=(ALL:ALL) ALL
  # See sudoers(5) for more information on "#include" directives:
  #includedir /etc/sudoers.d
  Admin at ubuntu:/home/iotuc$
  ```

  Similarly, if I create a username called aydogar, it does not have
  root privilege and this is expected.

  ```
  sudo useradd -s /bin/bash -u 8004 -d /home/aydogar --extrausers aydogar
  iotuc at ubuntu:~$ su aydogar
  Password:
  aydogar at ubuntu:/home/iotuc$ cat /etc/sudoers
  cat: /etc/sudoers: Permission denied
  aydogar at ubuntu:/home/iotuc$ sudo cat /etc/sudoers
  [sudo] password for aydogar:
  aydogar is not in the sudoers file.  This incident will be reported.
  aydogar at ubuntu:/home/iotuc$
  ```

  I think, this is a bug but would love here other ideas and inputs.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2027581/+subscriptions