News broke today of a new security vulnerability in sudo, a widely used Linux/BSD/Unix utility that allows regular users to execute commands with elevated privileges.
Typically, a user may need elevated (root) privileges to perform some command on the system, so the system administrator configures sudo to allow that user the ability to run one (or a set) of commands. If you are not listed in the /etc/sudoers file, you have no access to sudo, and if you are, you have access only to commands you’ve been permitted to use.
The new vulnerability means that any user can elevate his privileges to root using a carefully crafted arguments to one of sudo’s programs (sudoedit) – even if the user is not listed in /etc/sudoers!
If you’re the only user on your system (i.e., a personal VPS) you are probably not immediately affected because the user must be logged in with a shell to use sudo. However, you should still update. If you run a system where you have many users and use sudo, you must update immediately (to version 1.9.5p2).
(As is often the case, the only major Unix-like OS that is not affected is OpenBSD, which ditched sudo in favor of its homegrown utility, doas, back in 2015 due to security concerns with sudo.)
Related Posts:
I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.
I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308
- cPanel VPS Licenses for Only $4.00/Month!Dedicated for Only $4.50/Month!But There’s One Important Detail… - April 18, 2024
- Gloo.top – a Cool LowEndTalk Member Link Shortener You Should Check Out! - April 18, 2024
- Setup a Highly Available WordPress Site From Scratch, 2024 Edition!Part 7: Round-Robin DNS, Let’s Encrypt, & Conclusion - April 17, 2024
Nice! Thanks for the info!
Very nice, OpenBSD :)
How does one actually update sudo? (say, on a Ubuntu system)
Thanks for sharing Andrew!
Glad I’m subscribed to LowEndBox on Facebook. I’m not a systems admin but it’s important to know stuff like this.