Linux security hole: Much sudo about nothing

Yes, the sudo command has a security bug. But, in the real world, it's hard to see how it could be used against you.

Linus Torvalds has no problem with Microsoft ZDNet's Steven J. Vaughan-Nichols talks with Karen Roby about why no company can ever rule Linux. Read more: https://zd.net/31dQTiV

There's a lot of hubbub out there now about a security hole in the Unix/Linux family's sudo command. Sudo is the command, which enables normal users to run commands as if they were the root user, aka the system administrator. While this sudo security vulnerability is a real problem and needs patching, it's not nearly as bad as some people make it out to be.

At first glance the problem looks like a bad one. With it, a user who is allowed to use sudo to run commands as any other user, except root, can still use it to run root commands. For this to happen, several things must be set up just wrong. 

First the sudo user group must give a user the right to use sudo but doesn't give the privilege of using it to run root commands. That can happen when you want a user to have the right to run specific commands that they wouldn't normally be able to use.  Next, sudo must be configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification. 

The last has always been a stupid idea. As the sudo manual points out, "using ALL can be dangerous since in a command context, it allows the user to run any command on the system." In all my decades of working with Linux and Unix, I have never known anyone to set up sudo with ALL. 

That said, if you do have such an inherently broken system, it's then possible to run commands as root by specifying the user ID -1 or 4294967295. Thus, if the ALL keyword is listed first in the Runas specification, an otherwise restricted sudo user can then run root commands.

Scary? Not really. It's pretty much a useless vulnerability. It won't mess you over if you have a fouled up sudo installation and the attacker is already a sudo user. 

As Yanick Fratantonio, a security expert and assistant professor at EURECOM, tweeted, "this sudo bug thingy is being extremely overhyped. I mean, it's a cool bug, but it seems relevant only in very very specific situations." 

And those, I might add, are ones you may never see in your Linux system administration life. That said, you should still patch sudo. Even unlikely bugs can still bite you. Patches should soon be available in all Unix and Linux distributions.

Related Stories: