Sudo Axes Escalation Glitch
Among the important benefits of Linux's permission hierarchy is its ability to keep untrusted users from running amok. The all-or-nothing nature of root access, however, can present headaches when users are trusted, but only so far. That is a problem the sudo utility attempts to solve, and does so fairly well — except for the occasional glitch.
A glitch of this sort turned up last week, allowing less-privileged users to skirt around sudo's protections and gain the powers of other users, including the superpowers of root. A vulnerability in sudo's sudoedit pseudo-command (sudo -e) could allow arbitrary command execution by those empowered to use the command. (Users can be granted access to specific abilities like sudoedit, without being assigned full sudo access.) According to sudo's security advisory:
When sudo performs its command matching, there is a special case for pseudo-commands in the sudoers file (currently, the only pseudo-command is sudoedit). Unlike a regular command, pseudo-commands do not begin with a slash ('/'). The flaw is that sudo's the matching code would only check against the list of pseudo-commands if the user-specified command also contained no slashes. As a result, if the user ran "sudo ./sudoedit" the normal matching code path was followed, which uses stat(2) to verify that the user-specified command matches the one in sudoers. In this case, it would compare the "./sudoedit" specified by the user with "sudoedit" from the sudoers file, resulting in a positive match.
The advisory notes that impact of the vulnerability is mitigated by the utility's defaults, however. Exploiting the glitch depends on sudoedit having been enabled in /etc/sudoers — the pseudo-command is not configured by default, rendering most installs impervious to the attack. All versions of sudo from 1.6.9 to 1.7.2p3, the then-stable release, are affected — versions 1.7.2p4 (now superseded by 1.7.2p5) and 1.6.9p21 patch the vulnerability. Mandriva, Red Hat, and Ubuntu have already pushed updated versions out to users.
Interestingly enough, sudo — the creation of SUNY/Buffalo students Cliff Spencer and Bob Coggshall — celebrates its thirtieth anniversary this year. Though it is often associated with sudo-dependent distributions like Ubuntu, which disables the root account entirely, it first appeared in 1980, some eleven years before Linux development began. The utility has been consistently rewritten over its three decades, to the extent that none of its original code remains. More information about sudo and its development can be found on the sudo project website.
Justin Ryan is a Contributing Editor for Linux Journal.
|NTPsec: a Secure, Hardened NTP Implementation||Mar 30, 2017|
|SUSE Linux Enterprise High Availability Extension||Mar 29, 2017|
|Hybrid Cloud Storage Delivers Performance and Value||Mar 29, 2017|
|smbclient Security for Windows Printing and File Transfer||Mar 28, 2017|
|How to Calculate Flash Storage TCO||Mar 27, 2017|
|Non-Linux FOSS: Don't Drink the Apple Kool-Aid; Brew Your Own!||Mar 27, 2017|
- NTPsec: a Secure, Hardened NTP Implementation
- smbclient Security for Windows Printing and File Transfer
- Hybrid Cloud Storage Delivers Performance and Value
- SUSE Linux Enterprise High Availability Extension
- Returning Values from Bash Functions
- Non-Linux FOSS: Don't Drink the Apple Kool-Aid; Brew Your Own!
- William Rothwell and Nick Garner's Certified Ethical Hacker Complete Video Course (Pearson IT Certification)
- HOSTING Monitoring Insights
- Three EU Industries That Need HPC Now
- Hodge Podge