Sudo bug lets users who are allowed to run commands as another user to run them as root instead

This sudo bug is either very serious or a complete non-issue depending on your use-case. Sudo is typically used to allow one user to run any command as root. However, some do have specialized setups where one user is allowed to run one or two commands as other regular users. The bug would allow that user to run the commands he is allowed to run as other users as root - which typically means that a root shell is within reach.

GNU/Linux distributions typically come with a simple line in /etc/sudoers which says

%wheel ALL=(ALL) ALL

and that line makes it possible for users in the wheel group to run any command as root. Either a user is in the wheel club where everything is allowed as root or the user isn't. The sudo security issue assign CVE number "CVE-2019-14287 is completely irrelevant to those typical setups which most GNU/Linux distributions have.

Yooa from the popular k-pop group "Oh My Girl".

There are some who use the sudo command in more custom and specialized ways where CVE-2019-14287 may be a total security scandal: If one user is supposed to be able to run one command as other regular users and only other regular users then this bug is a total security nightmare.

Consider this example /etc/sudoers configuration line:

yooa myhost = (ALL) /usr/bin/ls

The above line allows yooa to run the ls as other regular users. It is not supposed to grant yooa the right to run ls as root. However, user yooa can do that if the system has sudo versions prior to 1.8.28 installed. Sudo version 1.8.28, released on October 14th, is fine.

The trick yooa could use in this case is to run sudo with the -u parameter to specify user ID (UID) and the non-valid UID -1 as argument. yooa could run:

sudo -u#-1 ls /root

and get a list of the files within the /root directory.

This trick works in Sudo versions prior to 1.8.28 due to how getresuid and getreuid, which sudo calls, threats -1: They return 0 when -1 or 4294967295 is used as an argument.

You absolutely should upgrade to sudo version 1.8.28 (or newer) if you are using a setup where some user is supposed to be able to run some command as other users but not root. This bug, while serious for those few affected, is likely totally irrelevant to your configuration. You would know if you have specifically configured a setup where this is a potential problem.

It is important to note that there has to be a sudo configuration line in /etc/sudoers which allows users to run commands as other users for this to be even remotely relevant. If there is no such /etc/sudoers configuration, and there isn't unless you specifically set it up line that, then there's no problem.

Sudo's homepage sudo.ws has an article titled Potential bypass of Runas user restrictions with further details.

published 2019-10-16 - last edited 2019-10-16

Sort by date Sort by score

Enable comment auto-refresher

You are ignoring the author of this comment

Show comment | Manage ignore list

Zz

54 months ago

Score 0

hey whats the chick pic there for?

Permalink | Reply

Add your comment

LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.

Latest News Headlines

• Monero P2Pool V1.0 Is Released
• Macs & MacOS: Greener Grass?
• Privacy vs "I have nothing to hide"
• GIMP 2.99.6 Is Released
• Tor 0.4.5.8 Is Released
• New Versions Of The GNUstep Base Library, GUI library, GUI Backend And GNUstep Gorm Are Released
• AMDVLK 2021.Q2.2 Driver Is Re-Compiled And Re-Released

See the more archive for news stories