⚡️Уязвимость в sudo⚡️

Package: sudo
CVE ID: CVE-2019-14287
Debian Bug 942322

Joe Vennix discovered that sudo, a program designed to provide limited super user privileges to specific users, when configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, allows to run commands as root by specifying the user ID - -1 or 4294967295. This could allow a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access.

Details can be found in the upstream advisory at https://www.sudo.ws/alerts/minus_1_uid.html .

For the oldstable distribution (stretch), this problem has been fixed in version 1.8.19p1-2.1+deb9u1.

For the stable distribution (buster), this problem has been fixed in version 1.8.27-1+deb10u1.

Краткий пример

если в sudoers написано что-то типа

myhost bob = (ALL, !root) /usr/bin/vi

что дает право запускать редактор пользователю боб от имени любого кроме root, то такое ограничение можно обойти:

bob:~$ sudo -u#-1 vi -c '!bash -c id -u'
0

#security #sudo