Security vulnerability of sudo_session_enabled
implementation
#2151
Labels
area:security
Security issue.
comp:agent
Related to Agent component
type:bug
Reports about that are not working
Milestone
What Operating System(s) are you seeing this problem on?
Linux (x86-64)
Backend.AI version
23.09
Describe the bug
Passwordless sudo was implemented in #1530.
But however, this has a security vulnerability in the following situations.
To Reproduce
Here, we assume that
sudo.enabled_sudo_session
is set to False and the "python" image is to contain thesudo
binary.Expected Behavior
Since
sudo_session_enabled
is set to False, the expected behavior is that sudo should not be available.Anything else?
In the current implementation, passing environment variables allows sudo to be used.
The text was updated successfully, but these errors were encountered: