SUDO security hole

[ArakelYorghanjyan]

Everything works as documented!
But now I've stumbled upon a security hole!
If you add all users to the linux-sudo group, they will end up in the sudo group on the device, sounds good, but it turns out that any employee of the company who is in this group can log in to a colleague's device and again be in the sudo group, respectively, he can gain access to other people's data.
Another interesting question is, in fact, when a user registers, the device is registered in Entra ID, but how do you make an unjoin/unregister?

[adombeck]

Hi, thanks for reaching out, but if you suspect that you have found a security vulnerability, please report it privately as documented in https://github.com/ubuntu/authd/blob/main/SECURITY.md#private-vulnerability-reporting. Fortunately, I don't think what you describe is a security vulnerability.

it turns out that any employee of the company who is in this group can log in to a colleague's device and again be in the sudo group, respectively, he can gain access to other people's data.

Yes, if you add a user to the linux-sudo group, they will have sudo access on all machines which they are allowed to log into via authd. That's the intended behavior.

Note that with the next release, it will be possible to specify in the broker configuration which users are allowed to log in via authd on the machine, and the default (for new installations) will be that only the first user who logs in via authd will be allowed. You can view a preview of the documentation for that here and you can already try it out by installing the authd-msentraid snap from the edge channel.

[3v1n0]

When you've sudo powers, you have them all!

However you can still control what sudo users can do by tuning the sudoers file so for example you can just allow a subgroup to just use specific commands.

[ArakelYorghanjyan]

@adombeck and @3v1n0 many thanks!
This product is really great!
We need it in production ASAP!