Sudo Flaw Lets Linux Users Run Commands As Root Even When They're Restricted

Discussion in 'all things UNIX' started by mood, Oct 14, 2019.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    27,857
    Sudo Flaw Lets Linux Users Run Commands As Root Even When They're Restricted
    October 14, 2019
    https://thehackernews.com/2019/10/linux-sudo-run-as-root-flaw.html
    Sudo: Potential bypass of Runas user restrictions
     
  2. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,881
    Location:
    Stockholm Sweden
    Kubuntu patched it yesterday.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,198
    Huh, I'm almost sure that I've seen this before. Quite some time ago. Months, at least.

    But whatever. Debian doesn't install sudo by default. And as I recall, never has.
     
  4. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,845
    So did Arch Linux, of course ;)
     
  5. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,845
    Here's an article from The Register that sorts things out:

     
  6. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    27,857
    Buffer Overflow In Older Sudo Versions Could Be Used To Get Root On Elementary, Linux Mint
    February 2, 2020
    https://linuxreviews.org/Buffer_Ove...Be_Used_To_Get_Root_On_Elementary,_Linux_Mint
     
  7. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,083
    Location:
    Member state of European Union
    Yet again flaw in sudo? No wonder OpenBSD written and replaced it with doas command.
     
  8. chrisretusn

    chrisretusn Registered Member

    Joined:
    Jun 16, 2004
    Posts:
    1,417
    Location:
    Philippines
    I don't view this as a serious flaw, while pwfeedback is a default setting in some Linux distributions, it is not the default for upstream or in Slackware. That and for Slackware64-cuurent at least, has been on 1.8.27 since Jan 2019. Slackware is now on 1.8.31.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,198
    Debian doesn't use sudo, by default. Just su.
     
  10. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    1,184
    Have sudo version 1.8.21p2
    Says user may run the following commands on xxxxx...
    (ALL : ALL) ALL
    (root) NOPASSWD: /usr/lib/linuxmint/mintUpdate/checkAPT.py
     
  11. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    27,857
    Ubuntu-based elementary OS 5.1.2 Hera update fixes dangerous Linux sudo bug
    February 9, 2020
    https://betanews.com/2020/02/09/elementary-os-sudo-linux/
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.