Note: I'm not sure if it is really a vulnerability, or if it should be an issue instead.
Summary
In the SSH configuration documentation, the sudoer line that you suggested can be escalated to edit any files in the system.
Details
You suggested adding the following lines in the sudoers file:
terraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/*
But this is highly insecure as we can escape the folder using ../ and edit any files on the system.
PoC
Using a terraform user with the previously mentioned line in the /etc/sudoers file, I can add a /etc/sudoers.d/sudo file using this command:
echo "ALL=(ALL) NOPASSWD:ALL" | tee /var/lib/vz/../../../etc/sudoers.d/sudo
And then I am full root of the node.
Impact
This breaches the access limits of the Terraform user.
Suggested workaround
Use a strict regex on the command to allow only the names that should be pushed by this user.
Example for cloudinit yaml files:
terraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/snippets/[A-Za-z0-9-]*\\.yaml
lucasmaurice Reporter
Summary
In the SSH configuration documentation, the sudoer line that you suggested can be escalated to edit any files in the system.
Details
You suggested adding the following lines in the sudoers file:
terraform ALL=(root) NOPASSWD: /usr/bin/tee /var/lib/vz/*But this is highly insecure as we can escape the folder using
../and edit any files on the system.PoC
Using a
terraformuser with the previously mentioned line in the/etc/sudoersfile, I can add a/etc/sudoers.d/sudofile using this command:echo "ALL=(ALL) NOPASSWD:ALL" | tee /var/lib/vz/../../../etc/sudoers.d/sudoAnd then I am full root of the node.
Impact
This breaches the access limits of the Terraform user.
Suggested workaround
Use a strict regex on the command to allow only the names that should be pushed by this user.
Example for cloudinit yaml files: