[Bug 2091898] [NEW] Non root user is able to kill root process started with sudo
Julio Lajara
2091898 at bugs.launchpad.net
Mon Dec 16 20:21:06 UTC 2024
Public bug reported:
Expected 18.04 behavior, regular user cannot stop root process:
```
$ docker run --rm -it ubuntu:18.04 bash
root at 584d4bcca9d3:/# apt-get update
Get:1 http://security.ubuntu.com/ubuntu bionic-security InRelease [102 kB]
Get:2 http://archive.ubuntu.com/ubuntu bionic InRelease [242 kB]
Get:3 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages [1637 kB]
Get:4 http://security.ubuntu.com/ubuntu bionic-security/restricted amd64 Packages [1688 kB]
Get:5 http://security.ubuntu.com/ubuntu bionic-security/multiverse amd64 Packages [23.8 kB]
Get:6 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages [3373 kB]
Get:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [102 kB]
Get:8 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [102 kB]
Get:9 http://archive.ubuntu.com/ubuntu bionic/restricted amd64 Packages [13.5 kB]
Get:10 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages [11.3 MB]
Get:11 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages [1344 kB]
Get:12 http://archive.ubuntu.com/ubuntu bionic/multiverse amd64 Packages [186 kB]
Get:13 http://archive.ubuntu.com/ubuntu bionic-updates/multiverse amd64 Packages [30.8 kB]
Get:14 http://archive.ubuntu.com/ubuntu bionic-updates/restricted amd64 Packages [1728 kB]
Get:15 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages [2411 kB]
Get:16 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages [3786 kB]
Get:17 http://archive.ubuntu.com/ubuntu bionic-backports/main amd64 Packages [64.0 kB]
Get:18 http://archive.ubuntu.com/ubuntu bionic-backports/universe amd64 Packages [20.6 kB]
Fetched 28.2 MB in 3s (8820 kB/s)
Reading package lists... Done
root at 584d4bcca9d3:/# apt-get install sudo
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
sudo
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 430 kB of archives.$ docker run --rm -it ubuntu:18.04 bash
root at 584d4bcca9d3:/# apt-get update
Get:1 http://security.ubuntu.com/ubuntu bionic-security InRelease [102 kB]
Get:2 http://archive.ubuntu.com/ubuntu bionic InRelease [242 kB]
Get:3 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages [1637 kB]
Get:4 http://security.ubuntu.com/ubuntu bionic-security/restricted amd64 Packages [1688 kB]
Get:5 http://security.ubuntu.com/ubuntu bionic-security/multiverse amd64 Packages [23.8 kB]
Get:6 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages [3373 kB]
Get:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [102 kB]
Get:8 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [102 kB]
Get:9 http://archive.ubuntu.com/ubuntu bionic/restricted amd64 Packages [13.5 kB]
Get:10 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages [11.3 MB]
Get:11 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages [1344 kB]
Get:12 http://archive.ubuntu.com/ubuntu bionic/multiverse amd64 Packages [186 kB]
Get:13 http://archive.ubuntu.com/ubuntu bionic-updates/multiverse amd64 Packages [30.8 kB]
Get:14 http://archive.ubuntu.com/ubuntu bionic-updates/restricted amd64 Packages [1728 kB]
Get:15 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages [2411 kB]
Get:16 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages [3786 kB]
Get:17 http://archive.ubuntu.com/ubuntu bionic-backports/main amd64 Packages [64.0 kB]
Get:18 http://archive.ubuntu.com/ubuntu bionic-backports/universe amd64 Packages [20.6 kB]
Fetched 28.2 MB in 3s (8820 kB/s)
Reading package lists... Done
root at 584d4bcca9d3:/# apt-get install sudo
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
sudo
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 430 kB of archives.
After this operation, 1765 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 sudo amd64 1.8.21p2-3ubuntu1.6 [430 kB]
Fetched 430 kB in 0s (1531 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package sudo.
(Reading database ... 4050 files and directories currently installed.)
Preparing to unpack .../sudo_1.8.21p2-3ubuntu1.6_amd64.deb ...
Unpacking sudo (1.8.21p2-3ubuntu1.6) ...
Setting up sudo (1.8.21p2-3ubuntu1.6) ...
root at 584d4bcca9d3:/# useradd -m test
root at 584d4bcca9d3:/# echo "test ALL=(ALL) NOPASSWD: /bin/sleep" >> /etc/sudoers.d/test
root at 584d4bcca9d3:/# su - test
$ sudo sleep infinity & echo $!
268
$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 18516 3484 pts/0 Ss 17:59 0:00 bash
root 264 0.0 0.0 49276 3064 pts/0 S 18:00 0:00 su - test
test 265 0.0 0.0 4636 792 pts/0 S 18:00 0:00 -su
root 268 0.0 0.0 47708 3520 pts/0 S 18:00 0:00 sudo sleep infinity
root 269 0.0 0.0 4540 852 pts/0 S 18:00 0:00 sleep infinity
test 270 0.0 0.0 34412 2916 pts/0 R+ 18:00 0:00 ps aux
$ kill 268
-su: 3: kill: Operation not permitted
$ kill 269
-su: 4: kill: Operation not permitted
$ echo "done!"
done!
$ exit
root at 584d4bcca9d3:/# exit
exit
After this operation, 1765 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 sudo amd64 1.8.21p2-3ubuntu1.6 [430 kB]
Fetched 430 kB in 0s (1531 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package sudo.
(Reading database ... 4050 files and directories currently installed.)
Preparing to unpack .../sudo_1.8.21p2-3ubuntu1.6_amd64.deb ...
Unpacking sudo (1.8.21p2-3ubuntu1.6) ...
Setting up sudo (1.8.21p2-3ubuntu1.6) ...
root at 584d4bcca9d3:/# useradd -m test
root at 584d4bcca9d3:/# echo "test ALL=(ALL) NOPASSWD: /bin/sleep" >> /etc/sudoers.d/test
root at 584d4bcca9d3:/# su - test
$ sudo sleep infinity & echo $!
268
$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 18516 3484 pts/0 Ss 17:59 0:00 bash
root 264 0.0 0.0 49276 3064 pts/0 S 18:00 0:00 su - test
test 265 0.0 0.0 4636 792 pts/0 S 18:00 0:00 -su
root 268 0.0 0.0 47708 3520 pts/0 S 18:00 0:00 sudo sleep infinity
root 269 0.0 0.0 4540 852 pts/0 S 18:00 0:00 sleep infinity
test 270 0.0 0.0 34412 2916 pts/0 R+ 18:00 0:00 ps aux
$ kill 268
-su: 3: kill: Operation not permitted
$ kill 269
-su: 4: kill: Operation not permitted
$ echo "done!"
done!
$ exit
root at 584d4bcca9d3:/# exit
exit
```
Expected 20.04 behavior, regular user cannot stop root process:
```
$ docker run --rm -it ubuntu:20.04 bash
root at f9c9cf1d85d6:/# apt-get update
Get:1 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB]
Get:2 http://security.ubuntu.com/ubuntu focal-security InRelease [128 kB]
Get:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease [128 kB]
Get:4 http://archive.ubuntu.com/ubuntu focal-backports InRelease [128 kB]
Get:5 http://archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [177 kB]
Get:6 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [1275 kB]
Get:7 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [11.3 MB]
Get:8 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [30.9 kB]
Get:9 http://archive.ubuntu.com/ubuntu focal/restricted amd64 Packages [33.4 kB]
Get:10 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [1566 kB]
Get:11 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [4570 kB]
Get:12 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [4289 kB]
Get:13 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [1276 kB]
Get:14 http://archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [33.5 kB]
Get:15 http://archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [28.6 kB]
Get:16 http://archive.ubuntu.com/ubuntu focal-backports/main amd64 Packages [55.2 kB]
Get:17 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [4111 kB]
Get:18 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [4090 kB]
Fetched 33.5 MB in 2s (13.5 MB/s)
Reading package lists... Done
root at f9c9cf1d85d6:/# apt-get install sudo
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
sudo
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 515 kB of archives.
After this operation, 2257 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 sudo amd64 1.8.31-1ubuntu1.5 [515 kB]
Fetched 515 kB in 1s (662 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package sudo.
(Reading database ... 4124 files and directories currently installed.)
Preparing to unpack .../sudo_1.8.31-1ubuntu1.5_amd64.deb ...
Unpacking sudo (1.8.31-1ubuntu1.5) ...
Setting up sudo (1.8.31-1ubuntu1.5) ...
root at f9c9cf1d85d6:/# useradd -m test
root at f9c9cf1d85d6:/# echo "test ALL=(ALL) NOPASSWD: /bin/sleep" >> /etc/sudoers.d/test
root at f9c9cf1d85d6:/# su - test
$ sudo sleep infinity & echo $!
270
$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 4112 3536 pts/0 Ss 18:08 0:00 bash
root 266 0.0 0.0 4520 2908 pts/0 S 18:09 0:00 su - test
test 267 0.0 0.0 2612 1904 pts/0 S 18:09 0:00 -sh
root 270 0.0 0.0 5008 3504 pts/0 S 18:09 0:00 sudo sleep infinity
root 271 0.0 0.0 2512 580 pts/0 S 18:09 0:00 sleep infinity
test 272 0.0 0.0 5896 2872 pts/0 R+ 18:09 0:00 ps aux
$ kill 270
-sh: 3: kill: Operation not permitted
$ kill 271
-sh: 4: kill: Operation not permitted
$ exit
root at f9c9cf1d85d6:/# exit
exit
```
Bad/unexpected 22.04 behavior, non root user is permitted to kill root
process:
```
$ docker run --rm -it ubuntu:22.04 bash
root at 1fb06b5a21bb:/# apt-get update
Get:1 http://security.ubuntu.com/ubuntu jammy-security InRelease [129 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy InRelease [270 kB]
Get:3 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 Packages [44.7 kB]
Get:4 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [128 kB]
Get:5 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 Packages [3241 kB]
Get:6 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [127 kB]
Get:7 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages [1792 kB]
Get:8 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [2397 kB]
Get:9 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages [17.5 MB]
Get:10 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 Packages [1163 kB]
Get:11 http://archive.ubuntu.com/ubuntu jammy/restricted amd64 Packages [164 kB]
Get:12 http://archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages [266 kB]
Get:13 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [2696 kB]
Get:14 http://archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 Packages [51.8 kB]
Get:15 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [1452 kB]
Get:16 http://archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 Packages [3353 kB]
Get:17 http://archive.ubuntu.com/ubuntu jammy-backports/main amd64 Packages [81.4 kB]
Get:18 http://archive.ubuntu.com/ubuntu jammy-backports/universe amd64 Packages [33.7 kB]
Fetched 34.9 MB in 3s (10.2 MB/s)
Reading package lists... Done
root at 1fb06b5a21bb:/# apt-get install sudo
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
sudo
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 821 kB of archives.
After this operation, 2568 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 sudo amd64 1.9.9-1ubuntu2.4 [821 kB]
Fetched 821 kB in 1s (963 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package sudo.
(Reading database ... 4393 files and directories currently installed.)
Preparing to unpack .../sudo_1.9.9-1ubuntu2.4_amd64.deb ...
Unpacking sudo (1.9.9-1ubuntu2.4) ...
Setting up sudo (1.9.9-1ubuntu2.4) ...
Processing triggers for libc-bin (2.35-0ubuntu3.8) ...
root at 1fb06b5a21bb:/# useradd -m test
root at 1fb06b5a21bb:/# echo "test ALL=(ALL) NOPASSWD: /bin/sleep" >> /etc/sudoers.d/test
root at 1fb06b5a21bb:/# su - test
$ sudo sleep infinity & echo $!
255
$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 4624 3808 pts/0 Ss 18:02 0:00 bash
root 251 0.0 0.0 6232 3568 pts/0 S 18:02 0:00 su - test
test 252 0.0 0.0 2888 1032 pts/0 S 18:02 0:00 -sh
root 255 0.0 0.0 7236 4404 pts/0 S 18:02 0:00 sudo sleep infinity
root 256 0.0 0.0 7236 564 pts/1 Ss+ 18:02 0:00 sudo sleep infinity
root 257 0.0 0.0 2788 1056 pts/1 S 18:02 0:00 sleep infinity
test 258 0.0 0.0 7060 1604 pts/0 R+ 18:03 0:00 ps aux
$ kill 255
$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 4624 3808 pts/0 Ss 18:02 0:00 bash
root 251 0.0 0.0 6232 3568 pts/0 S 18:02 0:00 su - test
test 252 0.0 0.0 2888 1032 pts/0 S 18:02 0:00 -sh
test 259 0.0 0.0 7060 1584 pts/0 R+ 18:03 0:00 ps aux
[1] + Terminated sudo sleep infinity
$ exit
root at 1fb06b5a21bb:/# exit
exit
```
Note that this behavior was repeated outside of a Docker container a
regular system install and the results are the same, I just provide
Docker containers as an example here for easy reproduceability.
Also I am not sure if this would fall under sudo package or a different
package so I am opening against sudo first. I also dont know if this is
new expected behavior starting in 22.04, but at least from my
perspective it breaks from historical expected behavior.
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: sudo 1.9.9-1ubuntu2.4
ProcVersionSignature: Ubuntu 6.8.0-49.49~22.04.1-generic 6.8.12
Uname: Linux 6.8.0-49-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.6
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Mon Dec 16 15:18:10 2024
InstallationDate: Installed on 2023-01-03 (712 days ago)
InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1)
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: sudo
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: sudo (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug jammy
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sudo in Ubuntu.
https://bugs.launchpad.net/bugs/2091898
Title:
Non root user is able to kill root process started with sudo
Status in sudo package in Ubuntu:
New
Bug description:
Expected 18.04 behavior, regular user cannot stop root process:
```
$ docker run --rm -it ubuntu:18.04 bash
root at 584d4bcca9d3:/# apt-get update
Get:1 http://security.ubuntu.com/ubuntu bionic-security InRelease [102 kB]
Get:2 http://archive.ubuntu.com/ubuntu bionic InRelease [242 kB]
Get:3 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages [1637 kB]
Get:4 http://security.ubuntu.com/ubuntu bionic-security/restricted amd64 Packages [1688 kB]
Get:5 http://security.ubuntu.com/ubuntu bionic-security/multiverse amd64 Packages [23.8 kB]
Get:6 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages [3373 kB]
Get:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [102 kB]
Get:8 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [102 kB]
Get:9 http://archive.ubuntu.com/ubuntu bionic/restricted amd64 Packages [13.5 kB]
Get:10 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages [11.3 MB]
Get:11 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages [1344 kB]
Get:12 http://archive.ubuntu.com/ubuntu bionic/multiverse amd64 Packages [186 kB]
Get:13 http://archive.ubuntu.com/ubuntu bionic-updates/multiverse amd64 Packages [30.8 kB]
Get:14 http://archive.ubuntu.com/ubuntu bionic-updates/restricted amd64 Packages [1728 kB]
Get:15 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages [2411 kB]
Get:16 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages [3786 kB]
Get:17 http://archive.ubuntu.com/ubuntu bionic-backports/main amd64 Packages [64.0 kB]
Get:18 http://archive.ubuntu.com/ubuntu bionic-backports/universe amd64 Packages [20.6 kB]
Fetched 28.2 MB in 3s (8820 kB/s)
Reading package lists... Done
root at 584d4bcca9d3:/# apt-get install sudo
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
sudo
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 430 kB of archives.$ docker run --rm -it ubuntu:18.04 bash
root at 584d4bcca9d3:/# apt-get update
Get:1 http://security.ubuntu.com/ubuntu bionic-security InRelease [102 kB]
Get:2 http://archive.ubuntu.com/ubuntu bionic InRelease [242 kB]
Get:3 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages [1637 kB]
Get:4 http://security.ubuntu.com/ubuntu bionic-security/restricted amd64 Packages [1688 kB]
Get:5 http://security.ubuntu.com/ubuntu bionic-security/multiverse amd64 Packages [23.8 kB]
Get:6 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages [3373 kB]
Get:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease [102 kB]
Get:8 http://archive.ubuntu.com/ubuntu bionic-backports InRelease [102 kB]
Get:9 http://archive.ubuntu.com/ubuntu bionic/restricted amd64 Packages [13.5 kB]
Get:10 http://archive.ubuntu.com/ubuntu bionic/universe amd64 Packages [11.3 MB]
Get:11 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages [1344 kB]
Get:12 http://archive.ubuntu.com/ubuntu bionic/multiverse amd64 Packages [186 kB]
Get:13 http://archive.ubuntu.com/ubuntu bionic-updates/multiverse amd64 Packages [30.8 kB]
Get:14 http://archive.ubuntu.com/ubuntu bionic-updates/restricted amd64 Packages [1728 kB]
Get:15 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages [2411 kB]
Get:16 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages [3786 kB]
Get:17 http://archive.ubuntu.com/ubuntu bionic-backports/main amd64 Packages [64.0 kB]
Get:18 http://archive.ubuntu.com/ubuntu bionic-backports/universe amd64 Packages [20.6 kB]
Fetched 28.2 MB in 3s (8820 kB/s)
Reading package lists... Done
root at 584d4bcca9d3:/# apt-get install sudo
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
sudo
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 430 kB of archives.
After this operation, 1765 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 sudo amd64 1.8.21p2-3ubuntu1.6 [430 kB]
Fetched 430 kB in 0s (1531 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package sudo.
(Reading database ... 4050 files and directories currently installed.)
Preparing to unpack .../sudo_1.8.21p2-3ubuntu1.6_amd64.deb ...
Unpacking sudo (1.8.21p2-3ubuntu1.6) ...
Setting up sudo (1.8.21p2-3ubuntu1.6) ...
root at 584d4bcca9d3:/# useradd -m test
root at 584d4bcca9d3:/# echo "test ALL=(ALL) NOPASSWD: /bin/sleep" >> /etc/sudoers.d/test
root at 584d4bcca9d3:/# su - test
$ sudo sleep infinity & echo $!
268
$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 18516 3484 pts/0 Ss 17:59 0:00 bash
root 264 0.0 0.0 49276 3064 pts/0 S 18:00 0:00 su - test
test 265 0.0 0.0 4636 792 pts/0 S 18:00 0:00 -su
root 268 0.0 0.0 47708 3520 pts/0 S 18:00 0:00 sudo sleep infinity
root 269 0.0 0.0 4540 852 pts/0 S 18:00 0:00 sleep infinity
test 270 0.0 0.0 34412 2916 pts/0 R+ 18:00 0:00 ps aux
$ kill 268
-su: 3: kill: Operation not permitted
$ kill 269
-su: 4: kill: Operation not permitted
$ echo "done!"
done!
$ exit
root at 584d4bcca9d3:/# exit
exit
After this operation, 1765 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 sudo amd64 1.8.21p2-3ubuntu1.6 [430 kB]
Fetched 430 kB in 0s (1531 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package sudo.
(Reading database ... 4050 files and directories currently installed.)
Preparing to unpack .../sudo_1.8.21p2-3ubuntu1.6_amd64.deb ...
Unpacking sudo (1.8.21p2-3ubuntu1.6) ...
Setting up sudo (1.8.21p2-3ubuntu1.6) ...
root at 584d4bcca9d3:/# useradd -m test
root at 584d4bcca9d3:/# echo "test ALL=(ALL) NOPASSWD: /bin/sleep" >> /etc/sudoers.d/test
root at 584d4bcca9d3:/# su - test
$ sudo sleep infinity & echo $!
268
$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 18516 3484 pts/0 Ss 17:59 0:00 bash
root 264 0.0 0.0 49276 3064 pts/0 S 18:00 0:00 su - test
test 265 0.0 0.0 4636 792 pts/0 S 18:00 0:00 -su
root 268 0.0 0.0 47708 3520 pts/0 S 18:00 0:00 sudo sleep infinity
root 269 0.0 0.0 4540 852 pts/0 S 18:00 0:00 sleep infinity
test 270 0.0 0.0 34412 2916 pts/0 R+ 18:00 0:00 ps aux
$ kill 268
-su: 3: kill: Operation not permitted
$ kill 269
-su: 4: kill: Operation not permitted
$ echo "done!"
done!
$ exit
root at 584d4bcca9d3:/# exit
exit
```
Expected 20.04 behavior, regular user cannot stop root process:
```
$ docker run --rm -it ubuntu:20.04 bash
root at f9c9cf1d85d6:/# apt-get update
Get:1 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB]
Get:2 http://security.ubuntu.com/ubuntu focal-security InRelease [128 kB]
Get:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease [128 kB]
Get:4 http://archive.ubuntu.com/ubuntu focal-backports InRelease [128 kB]
Get:5 http://archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [177 kB]
Get:6 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [1275 kB]
Get:7 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [11.3 MB]
Get:8 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [30.9 kB]
Get:9 http://archive.ubuntu.com/ubuntu focal/restricted amd64 Packages [33.4 kB]
Get:10 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [1566 kB]
Get:11 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [4570 kB]
Get:12 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [4289 kB]
Get:13 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [1276 kB]
Get:14 http://archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [33.5 kB]
Get:15 http://archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [28.6 kB]
Get:16 http://archive.ubuntu.com/ubuntu focal-backports/main amd64 Packages [55.2 kB]
Get:17 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [4111 kB]
Get:18 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [4090 kB]
Fetched 33.5 MB in 2s (13.5 MB/s)
Reading package lists... Done
root at f9c9cf1d85d6:/# apt-get install sudo
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
sudo
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 515 kB of archives.
After this operation, 2257 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 sudo amd64 1.8.31-1ubuntu1.5 [515 kB]
Fetched 515 kB in 1s (662 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package sudo.
(Reading database ... 4124 files and directories currently installed.)
Preparing to unpack .../sudo_1.8.31-1ubuntu1.5_amd64.deb ...
Unpacking sudo (1.8.31-1ubuntu1.5) ...
Setting up sudo (1.8.31-1ubuntu1.5) ...
root at f9c9cf1d85d6:/# useradd -m test
root at f9c9cf1d85d6:/# echo "test ALL=(ALL) NOPASSWD: /bin/sleep" >> /etc/sudoers.d/test
root at f9c9cf1d85d6:/# su - test
$ sudo sleep infinity & echo $!
270
$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 4112 3536 pts/0 Ss 18:08 0:00 bash
root 266 0.0 0.0 4520 2908 pts/0 S 18:09 0:00 su - test
test 267 0.0 0.0 2612 1904 pts/0 S 18:09 0:00 -sh
root 270 0.0 0.0 5008 3504 pts/0 S 18:09 0:00 sudo sleep infinity
root 271 0.0 0.0 2512 580 pts/0 S 18:09 0:00 sleep infinity
test 272 0.0 0.0 5896 2872 pts/0 R+ 18:09 0:00 ps aux
$ kill 270
-sh: 3: kill: Operation not permitted
$ kill 271
-sh: 4: kill: Operation not permitted
$ exit
root at f9c9cf1d85d6:/# exit
exit
```
Bad/unexpected 22.04 behavior, non root user is permitted to kill root
process:
```
$ docker run --rm -it ubuntu:22.04 bash
root at 1fb06b5a21bb:/# apt-get update
Get:1 http://security.ubuntu.com/ubuntu jammy-security InRelease [129 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy InRelease [270 kB]
Get:3 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 Packages [44.7 kB]
Get:4 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [128 kB]
Get:5 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 Packages [3241 kB]
Get:6 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [127 kB]
Get:7 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages [1792 kB]
Get:8 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [2397 kB]
Get:9 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages [17.5 MB]
Get:10 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 Packages [1163 kB]
Get:11 http://archive.ubuntu.com/ubuntu jammy/restricted amd64 Packages [164 kB]
Get:12 http://archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages [266 kB]
Get:13 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [2696 kB]
Get:14 http://archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 Packages [51.8 kB]
Get:15 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [1452 kB]
Get:16 http://archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 Packages [3353 kB]
Get:17 http://archive.ubuntu.com/ubuntu jammy-backports/main amd64 Packages [81.4 kB]
Get:18 http://archive.ubuntu.com/ubuntu jammy-backports/universe amd64 Packages [33.7 kB]
Fetched 34.9 MB in 3s (10.2 MB/s)
Reading package lists... Done
root at 1fb06b5a21bb:/# apt-get install sudo
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
sudo
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 821 kB of archives.
After this operation, 2568 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 sudo amd64 1.9.9-1ubuntu2.4 [821 kB]
Fetched 821 kB in 1s (963 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package sudo.
(Reading database ... 4393 files and directories currently installed.)
Preparing to unpack .../sudo_1.9.9-1ubuntu2.4_amd64.deb ...
Unpacking sudo (1.9.9-1ubuntu2.4) ...
Setting up sudo (1.9.9-1ubuntu2.4) ...
Processing triggers for libc-bin (2.35-0ubuntu3.8) ...
root at 1fb06b5a21bb:/# useradd -m test
root at 1fb06b5a21bb:/# echo "test ALL=(ALL) NOPASSWD: /bin/sleep" >> /etc/sudoers.d/test
root at 1fb06b5a21bb:/# su - test
$ sudo sleep infinity & echo $!
255
$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 4624 3808 pts/0 Ss 18:02 0:00 bash
root 251 0.0 0.0 6232 3568 pts/0 S 18:02 0:00 su - test
test 252 0.0 0.0 2888 1032 pts/0 S 18:02 0:00 -sh
root 255 0.0 0.0 7236 4404 pts/0 S 18:02 0:00 sudo sleep infinity
root 256 0.0 0.0 7236 564 pts/1 Ss+ 18:02 0:00 sudo sleep infinity
root 257 0.0 0.0 2788 1056 pts/1 S 18:02 0:00 sleep infinity
test 258 0.0 0.0 7060 1604 pts/0 R+ 18:03 0:00 ps aux
$ kill 255
$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 4624 3808 pts/0 Ss 18:02 0:00 bash
root 251 0.0 0.0 6232 3568 pts/0 S 18:02 0:00 su - test
test 252 0.0 0.0 2888 1032 pts/0 S 18:02 0:00 -sh
test 259 0.0 0.0 7060 1584 pts/0 R+ 18:03 0:00 ps aux
[1] + Terminated sudo sleep infinity
$ exit
root at 1fb06b5a21bb:/# exit
exit
```
Note that this behavior was repeated outside of a Docker container a
regular system install and the results are the same, I just provide
Docker containers as an example here for easy reproduceability.
Also I am not sure if this would fall under sudo package or a
different package so I am opening against sudo first. I also dont know
if this is new expected behavior starting in 22.04, but at least from
my perspective it breaks from historical expected behavior.
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: sudo 1.9.9-1ubuntu2.4
ProcVersionSignature: Ubuntu 6.8.0-49.49~22.04.1-generic 6.8.12
Uname: Linux 6.8.0-49-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.6
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Mon Dec 16 15:18:10 2024
InstallationDate: Installed on 2023-01-03 (712 days ago)
InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1)
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: sudo
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/2091898/+subscriptions
More information about the foundations-bugs
mailing list