Sudo Vulnerability

Oct 15, 2019

A vulnerability in the sudo package gives sudo users more powers than they deserve.

‘sudo’ is one of the most useful Linux/UNIX commands that allows users without root privileges to manage administrative tasks. However, a new vulnerability was discovered in sudo package that gives users root privileges.

“When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295,” according to the sudo advisory.

The vulnerability allows users with sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.

Sudo developers have already released a patch to fix the vulnerability. Update your systems now.

Related content

  • NEWS

    In the news: Microsoft Edge Coming to Linux; Open Invention Network Backs Gnome Project Against Patent Troll; Fedora 31 Released; openSUSE OBS Can Now Build Windows WSL Images; Sudo Vulnerability; Hetzner Launches New Ryzen-Based Dedicated Root Servers; and IBM Joins the Mayflower Autonomous Ship Project.

  • Command Line: Sudo and Passwords

    Sudo provides the building blocks to secure your system exactly the way you want it.

  • Microsoft Patents Sudo

    A further patent by Microsoft brings the software patent discussion to a renewed boil: the software giant has claims on "sudo."

  • Sudo and PolicyKit

    If you give users who are usually supervised more scope to help themselves, they will need additional privileges. The sudo tool and the PolicyKit authorization service can control who does what on Linux.

  • Honeypots for the Pi

    Adding a honeypot to your network will slow down attackers and warn you that intruders are on the wire.

comments powered by Disqus

Issue 39: Getting Started with Linux – /Special Editions

Buy this issue as a PDF

Digital Issue: Price $15.99
(incl. VAT)

News