Sudo bug lets users who are allowed to run commands as another user to run them as root instead
This sudo bug is either very serious or a complete non-issue depending on your use-case. Sudo is typically used to allow one user to run any command as root. However, some do have specialized setups where one user is allowed to run one or two commands as other regular users. The bug would allow that user to run the commands he is allowed to run as other users as root - which typically means that a root shell is within reach.
GNU/Linux distributions typically come with a simple line in /etc/sudoers
which says
%wheel ALL=(ALL) ALL
and that line makes it possible for users in the wheel
group to run any command as root
. Either a user is in the wheel
club where everything is allowed as root or the user isn't. The sudo
security issue assign CVE number "CVE-2019-14287 is completely irrelevant to those typical setups which most GNU/Linux distributions have.
Yooa from the popular k-pop group "Oh My Girl".
There are some who use the sudo
command in more custom and specialized ways where CVE-2019-14287
may be a total security scandal: If one user is supposed to be able to run one command as other regular users and only other regular users then this bug is a total security nightmare.
Consider this example /etc/sudoers
configuration line:
yooa myhost = (ALL) /usr/bin/ls
The above line allows yooa
to run the ls
as other regular users. It is not supposed to grant yooa
the right to run ls
as root. However, user yooa
can do that if the system has sudo versions prior to 1.8.28 installed. Sudo version 1.8.28, released on October 14th, is fine.
The trick yooa
could use in this case is to run sudo
with the -u
parameter to specify user ID (UID) and the non-valid UID -1
as argument. yooa
could run:
sudo -u#-1 ls /root
and get a list of the files within the /root
directory.
This trick works in Sudo versions prior to 1.8.28 due to how getresuid
and getreuid
, which sudo calls, threats -1
: They return 0
when -1
or 4294967295
is used as an argument.
You absolutely should upgrade to sudo version 1.8.28 (or newer) if you are using a setup where some user is supposed to be able to run some command as other users but not root. This bug, while serious for those few affected, is likely totally irrelevant to your configuration. You would know if you have specifically configured a setup where this is a potential problem.
It is important to note that there has to be a sudo configuration line in /etc/sudoers
which allows users to run commands as other users for this to be even remotely relevant. If there is no such /etc/sudoers
configuration, and there isn't unless you specifically set it up line that, then there's no problem.
Sudo's homepage sudo.ws has an article titled Potential bypass of Runas user restrictions with further details.
Enable comment auto-refresher
Zz
Permalink |