Major security flaw discovered in Linux sudo command

It's not a security flaw. You have to intentionally bypass the restriction.
 
Swa said:
It's a user workaround. You need access to the machine and can't just take over someone's pc.
Click to expand...
It may not be a remote exploit in itself, but it allows other user-level remote exploits to elevate privileges to root.
Also, many machines are shared machines, where not all users should have access to root.

It's not a workaround, it is a gaping hole.


The quirk revolved around sudo's treatment of user IDs. If you typed the command with a user ID of -1 or its unsigned equivalent 4294967295, it would treat you as if you had root access (user ID 0) even as it recorded the actual user ID in the log. The user IDs in question don't exist in the password database, either, so the command won't require a password to use.
 
Sinbad said:
It may not be a remote exploit in itself, but it allows other user-level remote exploits to elevate privileges to root.
Also, many machines are shared machines, where not all users should have access to root.

It's not a workaround, it is a gaping hole.


The quirk revolved around sudo's treatment of user IDs. If you typed the command with a user ID of -1 or its unsigned equivalent 4294967295, it would treat you as if you had root access (user ID 0) even as it recorded the actual user ID in the log. The user IDs in question don't exist in the password database, either, so the command won't require a password to use.
Click to expand...
You need access to it in the first place. Giving someone access is the first major gaping hole. Thereafter everything else is irrelevant. The first rule is there are no protections against users' own actions. If I have a bootable USB drive I can bypass any user level restrictions you put up in any case.
 
Swa said:
You need access to it in the first place. Giving someone access is the first major gaping hole. Thereafter everything else is irrelevant. The first rule is there are no protections against users' own actions. If I have a bootable USB drive I can bypass any user level restrictions you put up in any case.
Click to expand...
Nonsense.

Firstly, not all users have physical access to a machine. 2ndly, hard drives can be encrypted, rendering the USB boot useless.

Privilege separation on a multi user systems exists precisely because there is a need to give differing users non-administrative access to a machine. They should not be able to elevate their privileges.

You've obviously never worked in IT in any position of responsibility.
 
Doesn't it ask you for a password running as a different ID?

Sorry I'm not close to a linux box with power. XD
 
Moosedrool said:
Yeah that's kinda bad. SSH for non-admins?
Click to expand...
Never used a shared shell server?
Or even a dedicated server with an application team that needs access to admin their apps (but not root, cos they're fkn devs and should be locked in a windowless basement)
 
Sinbad said:
Never used a shared shell server?
Or even a dedicated server with an application team that needs access to admin their apps (but not root, cos they're fkn devs and should be locked in a windowless basement)
Click to expand...

I have limited experience in secure shell on linux. I'm asking if it restricts you running ID specific when running a shared shell server?

It's stuff like the above that makes me not trust running crucial infrastructure on open source software. A few years back I wanted to dabble with samba server as a AD replacement and this just indicates it's a bad idea.
 
Last edited:
Moosedrool said:
I have limited experience in secure shell on linux. It's stuff like the above that makes me not trust running crucial infrastructure on open source software. A few years back I wanted to dabble with samba server as a AD replacement and this just indicates it's a bad idea.
Click to expand...
For context, at work I currently have access to about 1000 servers.
I do not have root on any of them.
This exploit would allow me to have root on most of them, which is definitely a bad thing from an audit and governance point of view.

Open source is not all bad - look how quickly this was patched after it was discovered. On a closed source system, would it even have been openly reported, never mind patched within hours? Open source doesn't mean less competent coders - it means MORE code scrutiny which means more chance of holes being discovered quickly and fixed quickly.
 
Sinbad said:
For context, at work I currently have access to about 1000 servers.
I do not have root on any of them.
This exploit would allow me to have root on most of them, which is definitely a bad thing from an audit and governance point of view.

Open source is not all bad - look how quickly this was patched after it was discovered. On a closed source system, would it even have been openly reported, never mind patched within hours? Open source doesn't mean less competent coders - it means MORE code scrutiny which means more chance of holes being discovered quickly and fixed quickly.
Click to expand...

But it consists out of guys like you :) using the exploit rather than report it which is pretty much an obligation in organisations such as Microsoft since it's their product.
 
Sinbad said:
Never used a shared shell server?
Or even a dedicated server with an application team that needs access to admin their apps (but not root, cos they're fkn devs and should be locked in a windowless basement)
Click to expand...
:ROFL: Now now, think about all of those DevSecOps dudes :ROFL:
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X