Apple security researcher Joe Vennix has found a security bug in the important “sudo” command in Linux.
The sudo command, which is short for “super user do”, is widely used in various Linux distributions to separate administrator-level permissions from ordinary system users.
When installing programs, for instance, you would typically use the sudo command. Using sudo in front of any command or program causes it to be run as the administrator, or “root” user.
The bug that Vennix discovered allows a user to bypass restrictions on which programs they are allowed to run as the root user.
While this is a significant vulnerability, Bleeping Computer notes in its report that most Linux systems will be unaffected by the bug.
Bypassing restrictions on sudo
The sudo command uses a special configuration file called “sudoers”, in which system administrators can set which programs any given user may run as root.
If a user is restricted from using sudo on certain programs, they can bypass the restriction using the bug Vennix discovered.
This is done by passing an unexpected user ID to the sudo command.
In addition to running commands as “root”, sudo may also be used to run commands as any other user on the system, provided you have permission to do so.
Each user on the system is given a unique numeric ID in addition to a name. For example, the root user usually has an ID of 0. If I create a new user called “mybroadband”, it is common practice for it to get an ID of 1000 or larger.
Simply put, sudo -u#1000 whoami, will cause the program called “whoami” to be run as the user whose ID is 1000.
If you want to run the program as “root”, you could just leave off the user ID parameter and use sudo whoami. However, if the “sudoers” file blocks you from running a program as root, you will receive an error.
The bug Vennix discovered lets you bypass such restrictions by passing the user ID of –1 or 4294967295 to the sudo command, as follows: sudo -u#-1 whoami.
Version 1.8.28 of sudo fixes this bug.