Software

OSes

Sudo? More like Su-doh: There's a fun bug that gives restricted sudoers root access (if your config is non-standard)

All it takes is -u#-1 ... Wh%& t#e fsck*?


It's only Monday, and we already have a contender for the bug of the week.

Linux users who are able to run commands as other users, via the sudoer mechanism, though not as the all-powerful root user, can still run commands as root, thanks to a fascinating coding screw-up.

This security vulnerability, assigned CVE-2019-14287, is more interesting than scary: it requires a system to have a non-standard configuration. In other words, Linux computers are not vulnerable by default.

However, if you've set up Sudo in a rather imaginative, and fundamentally insecure, way – letting users run commands as others except root – then you will probably will want to pay attention. Because your users can bypass that non-root restriction using -u#-1 on the command line.

The best way to describe the problem is to use an example. Let's say you've set up the user bob as a sudoer on the server mybox so that they can run the text editor Vi as any user except root. You might trust bob to oversee the files and activities of other users, but they're not allowed any superuser access.

Your sudoers file would have the line:

mybox bob = (ALL, !root) /usr/bin/vi

That should allow bob to run Vi as anyone but root. However, if bob runs this command:

sudo -u#-1 vi

That -u#-1 will bypass the above restriction, and run Vi as root for bob. Now bob can change any file on the system. Oops.

This happens because, say, -u#1234 can be used on the command line with Sudo to run the command, Vi in this case, as user ID 1234. This user ID value is passed to the setresuid and setreuid system calls by Sudo to change the effective user ID of the command.

Thus, -u#-1 passes -1 to those calls to change the effective ID to -1. However, these system calls treat -1 as a special case: it means do not change the user ID. And seeing as Sudo runs as root initially, -1 means continue running as root. So, in the above case, Vi runs as root. Also, amusingly, the user ID 4294967295 will bypass the restrictions because, as a signed 32-bit integer, it equals -1.

The lesson here is: do not pass special values to system calls direct from the user – sanitize inputs first.

This programming gaffe was found and reported by Joe Vennix of Apple security, and fixed today in Sudo 1.8.28. Update your Linux systems as normal to pick up the patch: a fix was already available for your vulture's preferred distro – Debian, naturally – while writing this piece.

If you're interested, to plug the security hole, Sudo was tweaked to block -1 as a user ID. ®

Send us news
73 Comments

Linux kernel 4.14 gets a life extension, thanks to OpenELA

Could this be the first green shoot of enterprise vendors paying for long-term maintenance?

First release candidate of Linux kernel 6.9 looks 'fairly normal,' says Torvalds

Improved workqueues mean the end of tasklets is looming at long last

Fresh version of Windows user-friendly Zorin OS arrives to tempt the Linux-wary

Adding extra shine to Ubuntu Jammy… with the lightweight edition to follow

Good news: HMRC offers a Linux version of Basic PAYE Tools. Bad news: It broke

Python 2 has been dead for four years

TrueNAS CORE 13 is the end of the FreeBSD version

Debian-based TrueNAS SCALE is the future primary focus

Beijing issues list of approved CPUs – with no Intel or AMD

2024 may be the year of Linux On The Arm-or-RISC-desktop as China moves away from Western tech

Canonical cracks down on crypto cons following Snap Store scam spree

In happier news, Ubuntu Pro extended support now goes up to 12 years

Redis tightens its license terms, pleasing basically no one

FOSS developers gotta eat, but users need certainty

Raspberry Pi OS 5.2 is here, with pleasant tweaks to Wayland-based desktop

Kernel 6.6 and small refinements, plus less visible, but meaningful adjustments

Linux for older phones postmarketOS changes its init system

Good news, everyone! The world's favorite daemon, systemd, is coming to phones.

Fedora 41's GNOME to go Wayland-only, says goodbye to X.org

Don't worry, you can still put it back, but it's an accessibility snag

Linux 6.9 will be the first to top ten million Git objects

For now, have Linux 6.8, which Linus Torvalds could find no reason to delay