News broke today of a new security vulnerability in sudo, a widely used Linux/BSD/Unix utility that allows regular users to execute commands with elevated privileges.
Typically, a user may need elevated (root) privileges to perform some command on the system, so the system administrator configures sudo to allow that user the ability to run one (or a set) of commands. If you are not listed in the /etc/sudoers file, you have no access to sudo, and if you are, you have access only to commands you’ve been permitted to use.
The new vulnerability means that any user can elevate his privileges to root using a carefully crafted arguments to one of sudo’s programs (sudoedit) – even if the user is not listed in /etc/sudoers!
If you’re the only user on your system (i.e., a personal VPS) you are probably not immediately affected because the user must be logged in with a shell to use sudo. However, you should still update. If you run a system where you have many users and use sudo, you must update immediately (to version 1.9.5p2).
(As is often the case, the only major Unix-like OS that is not affected is OpenBSD, which ditched sudo in favor of its homegrown utility, doas, back in 2015 due to security concerns with sudo.)
Related Posts:
- Merry Christmas from LowEndBox! - December 25, 2024
- We are Social Butterflies!Check Us Out Wherever You Browse, View, or Tap! - December 23, 2024
- Let’s Celebrate the Winter Solstice with Awesome Deals and a Free Bonus Code for RackNerd’s Giveaway! - December 22, 2024
Nice! Thanks for the info!
Very nice, OpenBSD :)
How does one actually update sudo? (say, on a Ubuntu system)
Thanks for sharing Andrew!
Glad I’m subscribed to LowEndBox on Facebook. I’m not a systems admin but it’s important to know stuff like this.