[Pkg-mc-devel] Bug#501303: sudo with mc provides root privileges to users

[Mathieu RV]

Package: mc
Version: 1:4.6.1-6
Severity: critical
Tags: security
Justification: root security hole

Hello,

When a user appearing in the sudoers file use the following command :
$sudo mc

Midnight Commander starts within a root shell.
Look at the bottom left of the mc screen : root at computer:~#
Also, 'whoami' reports 'root'.
Then the user as full access to the filesystem has the root user.

It occurs even if the sudoers file do not allow access to the /usr/bin/su command to the user.

I don't know if it is a feature, but it looks strange to me. I think that system administrators using sudo functionnalities should be aware of this 
behaviour.

PS : This behaviour occurs also with Ubuntu 8.04 (Hardy), on a standard desktop installation.

Thanks.
Regards,
---
Mathieu RV


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-686
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)

Versions of packages mc depends on:
ii  libc6                  2.3.6.ds1-13etch7 GNU C Library: Shared libraries
ii  libglib2.0-0           2.12.4-2          The GLib library of C routines
ii  libgpmg1               1.19.6-25         General Purpose Mouse - shared lib
ii  libslang2              2.0.6-4           The S-Lang programming library - r

mc recommends no packages.

-- no debconf information