Description
In exec.c, trusted_setid_script is checked via:
bool trusted_setid_script = strcmp(path, "/usr/local/bin/sudo") == 0;
If sudo or other setuid-escalation wrappers (like pkexec) are located elsewhere (e.g. /usr/bin/sudo, /usr/bin/pkexec, or /bin/sudo) or executed via a relative path (e.g. if the guest shell executes sudo or pkexec using $PATH resolution, or ./sudo), strcmp will fail because path is the raw relative guest path passed to execve.
If the check fails for these script wrappers:
trusted_setid_script is false.
- Because
exec_is_script is also false (due to Issue 3), the setuid bit is processed.
- The process is set to real UID =
1000, effective UID = 0.
- The shell interpreter (e.g.,
bash or sh) executes.
- Due to security mechanisms in standard shells, if real UID (
1000) != effective UID (0), the shell immediately drops the effective UID back to 1000.
Impact
Invoking sudo or pkexec via relative paths or from directories other than exactly /usr/local/bin/sudo will cause the wrapper scripts to silently drop root privileges, rendering them useless in the guest system.
Description
In exec.c,
trusted_setid_scriptis checked via:If
sudoor other setuid-escalation wrappers (likepkexec) are located elsewhere (e.g./usr/bin/sudo,/usr/bin/pkexec, or/bin/sudo) or executed via a relative path (e.g. if the guest shell executessudoorpkexecusing$PATHresolution, or./sudo),strcmpwill fail becausepathis the raw relative guest path passed toexecve.If the check fails for these script wrappers:
trusted_setid_scriptisfalse.exec_is_scriptis alsofalse(due to Issue 3), the setuid bit is processed.1000, effective UID =0.bashorsh) executes.1000) != effective UID (0), the shell immediately drops the effective UID back to1000.Impact
Invoking
sudoorpkexecvia relative paths or from directories other than exactly/usr/local/bin/sudowill cause the wrapper scripts to silently drop root privileges, rendering them useless in the guest system.