Loading
Sudo Axes Escalation Glitch
Among the important benefits of Linux's permission hierarchy is its ability to keep untrusted users from running amok. The all-or-nothing nature of root access, however, can present headaches when users are trusted, but only so far. That is a problem the sudo utility attempts to solve, and does so fairly well — except for the occasional glitch.
A glitch of this sort turned up last week, allowing less-privileged users to skirt around sudo's protections and gain the powers of other users, including the superpowers of root. A vulnerability in sudo's sudoedit pseudo-command (sudo -e) could allow arbitrary command execution by those empowered to use the command. (Users can be granted access to specific abilities like sudoedit, without being assigned full sudo access.) According to sudo's security advisory:
When sudo performs its command matching, there is a special case for pseudo-commands in the sudoers file (currently, the only pseudo-command is sudoedit). Unlike a regular command, pseudo-commands do not begin with a slash ('/'). The flaw is that sudo's the matching code would only check against the list of pseudo-commands if the user-specified command also contained no slashes. As a result, if the user ran "sudo ./sudoedit" the normal matching code path was followed, which uses stat(2) to verify that the user-specified command matches the one in sudoers. In this case, it would compare the "./sudoedit" specified by the user with "sudoedit" from the sudoers file, resulting in a positive match.
The advisory notes that impact of the vulnerability is mitigated by the utility's defaults, however. Exploiting the glitch depends on sudoedit having been enabled in /etc/sudoers — the pseudo-command is not configured by default, rendering most installs impervious to the attack. All versions of sudo from 1.6.9 to 1.7.2p3, the then-stable release, are affected — versions 1.7.2p4 (now superseded by 1.7.2p5) and 1.6.9p21 patch the vulnerability. Mandriva, Red Hat, and Ubuntu have already pushed updated versions out to users.
Interestingly enough, sudo — the creation of SUNY/Buffalo students Cliff Spencer and Bob Coggshall — celebrates its thirtieth anniversary this year. Though it is often associated with sudo-dependent distributions like Ubuntu, which disables the root account entirely, it first appeared in 1980, some eleven years before Linux development began. The utility has been consistently rewritten over its three decades, to the extent that none of its original code remains. More information about sudo and its development can be found on the sudo project website.
______________________
Justin Ryan is a Contributing Editor for Linux Journal.
Webcast
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Sponsored by AMD
White Paper
Private PaaS for the Agile Enterprise
If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.
Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.
Sponsored by ActiveState
- Containers—Not Virtual Machines—Are the Future Cloud
- Non-Linux FOSS: libnotify, OS X Style
- Lock-Free Multi-Producer Multi-Consumer Queue on Ring Buffer
- Linux Systems Administrator
- Validate an E-Mail Address with PHP, the Right Way
- Introduction to MapReduce with Hadoop on Linux
- RSS Feeds
- Weechat, Irssi's Little Brother
- New Products
- Tech Tip: Really Simple HTTP Server with Python
- Poul-Henning Kamp: welcome to
2 hours 3 min ago - This has already been done
2 hours 4 min ago - Reply to comment | Linux Journal
2 hours 49 min ago - Welcome to 1998
3 hours 37 min ago - notifier shortcomings
4 hours 1 min ago - heroku?
5 hours 38 min ago - Android User
5 hours 40 min ago - Reply to comment | Linux Journal
7 hours 33 min ago - compiling
10 hours 22 min ago - This is a good post. This
15 hours 35 min ago
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?
Comments
No sudo for me, thanks!
I personally avoid the use of sudo all together in my distro - Archlinux that is.
Call me old school but I much rather prefer to do give a "su -" command as a regular user, fix what it needs to get fixed and get the hell out by doing "su - myusername" or just typing "exit"
It feels simpler and cleaner this way especially in a multiuser enviroment.
101 Tech Tips DVD
I recently purchased it and am having a problem finding the tip shown in the lower left. It would be great if there was a searchable index by subject that when clicked on would take you to the tip. Otherwise good stuff.
Why is there a picture of
Why is there a picture of Kyle Rankin displayed so prominently in an article by Justin Ryan? It's especially strange to see that the picture matches this week's member giveaway. 3-4-10
It's the T-Shirt
That's a "root superhero" t-shirt: sudo ~= root.
Mitch Frazier is an Associate Editor for Linux Journal.
I can't believe I didn't get that
I'm sad to say that went right over my head. Kudos to you, and I apologize if I insulted your integrity or the integrity of LinuxJournal as a whole and thank you very much for the explanation. Double kudos if you intended "~=" to mean approximately equal to!
No Apologies Necessary
It was far from obvious, no apology necessary. And yes "~=" was intended as approximately equal.
Mitch Frazier is an Associate Editor for Linux Journal.
default is secure - good news
I'm glad to hear the default config is secure.
It's good to see the community being open about flaws and fixing them quickly. Another reason to prefer Linux and/or open source! :)