Sudo bug lets users who are allowed to run commands as another user to run them as root instead

From LinuxReviews
Jump to navigationJump to search

This sudo bug is either very serious or a complete non-issue depending on your use-case. Sudo is typically used to allow one user to run any command as root. However, some do have specialized setups where one user is allowed to run one or two commands as other regular users. The bug would allow that user to run the commands he is allowed to run as other users as root - which typically means that a root shell is within reach.

GNU/Linux distributions typically come with a simple line in /etc/sudoers which says

%wheel ALL=(ALL) ALL

and that line makes it possible for users in the wheel group to run any command as root. Either a user is in the wheel club where everything is allowed as root or the user isn't. The sudo security issue assign CVE number "CVE-2019-14287 is completely irrelevant to those typical setups which most GNU/Linux distributions have.

Yooa from the popular k-pop group "Oh My Girl".

There are some who use the sudo command in more custom and specialized ways where CVE-2019-14287 may be a total security scandal: If one user is supposed to be able to run one command as other regular users and only other regular users then this bug is a total security nightmare.

Consider this example /etc/sudoers configuration line:

yooa myhost = (ALL) /usr/bin/ls

The above line allows yooa to run the ls as other regular users. It is not supposed to grant yooa the right to run ls as root. However, user yooa can do that if the system has sudo versions prior to 1.8.28 installed. Sudo version 1.8.28, released on October 14th, is fine.

The trick yooa could use in this case is to run sudo with the -u parameter to specify user ID (UID) and the non-valid UID -1 as argument. yooa could run:

sudo -u#-1 ls /root

and get a list of the files within the /root directory.

This trick works in Sudo versions prior to 1.8.28 due to how getresuid and getreuid, which sudo calls, threats -1: They return 0 when -1 or 4294967295 is used as an argument.

You absolutely should upgrade to sudo version 1.8.28 (or newer) if you are using a setup where some user is supposed to be able to run some command as other users but not root. This bug, while serious for those few affected, is likely totally irrelevant to your configuration. You would know if you have specifically configured a setup where this is a potential problem.

It is important to note that there has to be a sudo configuration line in /etc/sudoers which allows users to run commands as other users for this to be even remotely relevant. If there is no such /etc/sudoers configuration, and there isn't unless you specifically set it up line that, then there's no problem.

Sudo's homepage has an article titled Potential bypass of Runas user restrictions with further details.