back to article Sudo? More like Su-doh: There's a fun bug that gives restricted sudoers root access (if your config is non-standard)

It's only Monday, and we already have a contender for the bug of the week. Linux users who are able to run commands as other users, via the sudoer mechanism, though not as the all-powerful root user, can still run commands as root, thanks to a fascinating coding screw-up. This security vulnerability, assigned CVE-2019-14287, …

  1. Ian 55

    I suspect that most didn't even know it was an option

    Be interesting to know how many people did have sudo set up like that.

    1. IceC0ld

      Re: I suspect that most didn't even know it was an option

      I can imagine it to be x -1 now though :o)

      1. Anonymous Coward
        Anonymous Coward

        Re: I suspect that most didn't even know it was an option

        OR n - 1

      2. junglesnot

        Re: I suspect that most didn't even know it was an option

        I thought root -1 was imaginary anyway.

        1. Stevie

          Re: I suspect that most didn't even know it was an option

          Only if you are root.

          1. Siberian Hamster

            Re: I suspect that most didn't even know it was an option

            I am -g root!

    2. Trixr

      Re: I suspect that most didn't even know it was an option

      Not uncommon in the enterprise. DBAs sudoing to "oracle", for example, if they want to do upgrades or something low-level.

      1. doublelayer Silver badge

        Re: I suspect that most didn't even know it was an option

        However, that usually allows a user to sudo to only one user, I.E. whitelisting rather than blacklisting IDs. I haven't read the details, but it sounds as if that configuration would have prevented this attack.

      2. redwine

        Re: I suspect that most didn't even know it was an option

        That sudo scenario would likely be to allow a user to run commands as another specific user, not allowing a user to run commands as any user except root.

    3. Warm Braw

      Re: I suspect that most didn't even know it was an option

      I had the misfortune to have to scratch the surface of sudo configuration recently, and there's a lot of stuff most people are probably unaware of, it certainly surprised me.

      Sudo is really a terrible hack to get around the fact that by default Unix doesn't have a permissions system for things other than devices and files, so the granularity of privileged access is basically YES/NO. It's not how security should be done. Given the growing number of permissions and controls for containers perhaps there's hope for the future.

      1. teknopaul

        Re: I suspect that most didn't even know it was an option

        SELinux gives you more than the basic unix system.

        1. Robert Helpmann??
          Childcatcher

          Re: I suspect that most didn't even know it was an option

          SELinux gives you more than the basic unix system

          It should also be noted that there is a SEAndroid module adding similar functionality for Android devices.

        2. Warm Braw

          Re: I suspect that most didn't even know it was an option

          SELinux gives you more than the basic unix system

          SELinux is rather like having both a hand grenade and a dog to protect you from intruders: at the critical moment you don't know which to deploy for the best and you can't use both because the dog is a retriever. After the event, though, a handy auditing tool will tell your next of kin what you should have done.

      2. Psmo
        Linux

        Re: I suspect that most didn't even know it was an option

        ssshhSSSHHHHHHH

        THERE ARE NO SECURITY HOLES IN *NIX SYSTEMS.

        THE ONES WE PUT THERE DELIBERATELY DON'T COUNT.

        Still with granular controls, security would be greatly enhanced.

        NO NOT THE DEVOPS PENG...NO CARRIER

      3. ercoloid

        Re: I suspect that most didn't even know it was an option

        You're dead right, sudo is a terrible hack. Widespread because *Linux* doesn't have a privilege delegation model worth talking about. Solaris on the other hand has a very comprehensive privilege delegation model based on its RBAC system. So it is extremely simple for non-root processes to be granted the privilege to open privileged ports for example or start/stop system services without ever becoming or running as root. Unfortunately these "Enterprise" features have never made it into Linux which is still a developer-centric platform focused on audio and desktops to try and woo developers off Windows. Shame Solaris has no future.

    4. redwine

      Re: I suspect that most didn't even know it was an option

      Update sudo of course, but I can't think of any real world scenarios where this specific configuration would be used.

      1. Tom 7

        Re: I suspect that most didn't even know it was an option

        It never ceases to amaze me what ingenuity people show when trying to do things while avoiding reading up on security properly. My excuse was no-one ever showed me the the 'how to do security properly' manual with enough authority for me to believe it was THE real manual.

    5. Mage Silver badge
      Happy

      Re: I suspect that most didn't even know it was an option

      Patch arrived on Linux Mint Update 1st thing this morning. No reboot needed, as usual.

    6. bombastic bob Silver badge
      Unhappy

      Re: I suspect that most didn't even know it was an option

      I don't (thankfully)

      if I need to allow -u someuser I'll put it in the sudoers[.d] definition. Occasionally I do though, for customer projects even. NO '!root' or anything similar either, I require explicit exact command matches! It makes the sudoers config file longer, but so what. It's anal retentive, but so what. Being anal retentive on security helps to prevent *this* sort of thing...

      worth pointing out the 'pi' user on Raspbian has global sudo 'no password' access to EVERYTHING. Just sayin'. It's for convenience, of course, but if you do NOT change the 'pi' password, very VERY insecure.

  2. b0llchit Silver badge
    Thumb Up

    Printer copy limitation

    That reminds me of a funny bug in my old Uni's PrimeOS machine (from ancient history). There were only three or five print jobs allowed per semester. However, the printer command had a # of copies option, which, of course, used a signed integer as argument. Therefore, using -1 copies would give you one more job to print :-)

  3. G R Goslin

    As a ex sys-admin....

    I steer well away from any sudo function, as well as any Linux distro which claims not to have or need a Root function. As far as I'm aware, it's use is allow users to wield powers that root has, in order to load software, build the operating system, etc. I consider this to be absolutely the stupidest thing one can do. Having seen the catastrophes that users can do with normal user powers, the very last thing you need from a user is the ability to destroy the whole setup.In my day, the root password was the most guarded asset the system had, and was kept a long, long way fro the users.

    1. Skymonrie

      Re: As a ex sys-admin....

      For me, the whole point of it on production systems is to restrict control to certain processes that would otherwise require some form of god mode, which is even worse...

      Want to let a user do some very basic management on Nginx but, nothing else? The following is relatively harmless and makes remote management a bit safer

      # /etc/sudoers.d/nginx_knobby

      knobby ALL=NOPASSWD: /bin/systemctl restart nginx

      knobby ALL=NOPASSWD: /bin/systemctl start nginx

      1. jake Silver badge

        Re: As a ex sys-admin....

        $ file /bin/systemctl

        /bin/systemctl: cannot open `/bin/systemctl' (No such file or directory)

        $

        1. Anonymous Coward Silver badge
          Happy

          Re: As a ex sys-admin....

          As he said, relatively harmless.

        2. Jay 2

          Re: As a ex sys-admin....

          A server not infested with systemd then possibly? So instead of systemctl use whatever command your distro provides for service manipulation.

          1. cbars Bronze badge

            Re: As a ex sys-admin....

            methinks jake was having a little dig at Poettering.....

        3. bombastic bob Silver badge
          Meh

          Re: As a ex sys-admin....

          yeah I don't have systemctl either on most of my systems and/or VMs. One or two unfortunately do...

      2. katrinab Silver badge
        Alert

        Re: As a ex sys-admin....

        Your computer is infected with systemd. That can in no way be described as harmless.

      3. bombastic bob Silver badge
        Thumb Up

        Re: As a ex sys-admin....

        nice example of explicit permissions and command filtering

    2. redwine

      Re: As a ex sys-admin....

      As a current sys-admin, I deploy sudo for various teams across my Linux estates to great advantage.

    3. nematoad

      Re: As a ex sys-admin....

      I agree with your opinion of sudo. It is the equivalent of leaving your front door key under the mat.

      As it happens I use PCLinuxOS and Texstar holds even stronger views on the misuse of sudo and will not allow it near the distro, With su you have greater control over who can run as root and surely that must be a good thing.

      Though looking at the downvotes not a lot of people agree.

      1. cbars Bronze badge

        Re: As a ex sys-admin....

        "It is the equivalent of leaving your front door key under the mat"

        Hmm.... More like, but not exactly the same as dividing your house up into multiple flats, and giving different people keys to their flats, with none of them getting access to the electricity/plumbing/utilities cupboard. A pretty good idea really, if you don't want to have to go and cook all their meals and do their washing, let them come and go as they please to non critical areas.

      2. Phil O'Sophical Silver badge

        Re: As a ex sys-admin....

        With su you have greater control over who can run as root and surely that must be a good thing.

        With su you have next to no control, anyone who knows the root password can do anything, and you have no idea which actual user did it. No-one but the admin should have that password.

        With sudo you can specify that user "x" can do speciific thing "y" as root, and only that. It also logs the fact that user 'x" did it. Far more secure in all respects.

        Though looking at the downvotes not a lot of people agree

        That's because they know how sudo works.

        1. Anonymous Coward
          Big Brother

          Re: As a ex sys-admin....

          No-one but the admin should have that password.

          That password should be (a) randomly generated, (b) kept in some secure place, with a mechanism which ensures that if it is ever extracted from that secure place for use it is replaced by a new randomly-generated password.

          1. bombastic bob Silver badge
            Devil

            Re: As a ex sys-admin....

            anyone with explicit access to the computer can boot up a CD/DVDROM Linux, chroot to the hard drive root [after properly mounting], and run passwd as root to reset things to whatever you want. Or, remove the hard drive, attach a USB-SATA adaptor to it, plug into "hacker laptop", switch to root, mount things, and reset the root password [using one of several methods].

            SO randomly generated root passwords are ok I suppose, but there are limits to which any root password can be guarded like that.

            better to just be safe, moderaly cryptic, limit who can access the computer [especially remotely] to avoid dictionary-based attacks, explicitly deny root logins via ssh, and so on.

    4. TheVogon

      Re: As a ex sys-admin....

      The whole concept of root is a broken model though. You should be able to assign administration accounts only the rights actually needed in a "JEA security" type model.

      1. really_adf

        Re: As a ex sys-admin....

        You should be able to assign administration accounts only the rights actually needed in a "JEA security" type model.

        Err, that is literally exactly what sudo does (bugs aside). Its configuration says which users can do which things as which users. Such as "members of this (administrative) group may stop/start this service".

      2. bombastic bob Silver badge
        Devil

        Re: As a ex sys-admin....

        FYI - group membership and creative use of sudo config can do what you mentioned, I bet...

        (there are many examples in the sudo docs of using group membership for sudo command filtering)

    5. bombastic bob Silver badge
      WTF?

      Re: As a ex sys-admin....

      I'd downvote you but for the fact you've currently got 42 downvotes.

      'su' and 'sudo' are EXTREMELY important if you use ssh - you do NOT want to be able to ssh in and log in as root DIRECTLY. You just don't.

      And how ELSE can you remote-admin a system without su and sudo ????

      In FreeBSD there's one more restriction: you have to be a member of the 'wheel' group to su to root. So on my system you must ssh in as a very non-priv user, with a cryptic name. THEN you have to su to something in 'wheel' first, to be able to su to root.

      And no sudo access for that user, either. And no root logins via ssh. su twice to get to root.

      1. ds6 Silver badge

        Re: As a ex sys-admin....

        And how ELSE can you remote-admin a system without su and sudo ????

        doas

        :-]

        As a luser that grew up on FreeBSD, I have wheel set up for all my sudo rules.

  4. jake Silver badge

    Already patched in Slackware.

    Thanks for the tip, ElReg.

    (A quick eyeball of the systems I maintain show that none of them need the patch, as I expected ... Either I trust you with root, or you're stuck in your own little world with no need to edit the files of other users. I suspect that any greater granularity is lazyness on the part of the admin, or fuzzy-headed management making rules for dummies again.)

    1. Graham Cobb Silver badge

      Re: Already patched in Slackware.

      I suspect that any greater granularity is lazyness on the part of the admin

      Not completely. I also only let su (with root password) access root. However a very restricted sudo is useful for allowing some users to run something I don't trust (for example, closed source software) as another user which does not have any access to their files (groups are used for access the other way so the user can communicate with the untrusted app).

      However, as that names the specific user to use for the untrusted app it doesn't fall into this bug, fortunately.

    2. Anonymous Coward
      Alien

      Re: Already patched in Slackware.

      Because the group of people you trust to be competent to deal with replacing disks on your systems are the same as the group you trust to be competent to restart the database, are the same as the group you trust to be able to run backups. And you, of course, trust all those people to be able to read the backup tapes, because, well, they're all good people who you trust to do anything.

      Yes, 'fuzzy-headed managment' with their boring concerns about security.

      1. Angry clown

        @tfb - Re: Already patched in Slackware.

        This is sysadmin fascism. It is not you alone that decides who is to be trusted and who's not, business has also a word to say. You are supposed to do your best to work with database and application owners to manage risks not to impose your vision.

        Also, may I remind you the not so few cases in which a trusted sysadmin locked down networks and systems and denied legitimate users access ?

        1. Anonymous Coward
          Mushroom

          Re: @tfb - Already patched in Slackware.

          Um, who do you think is deciding that various groups of people can perform various actions? Do you think it's the *nix sysadmin people? Seriously? Do you think the *nix sysadmin people have unconstrained root access without going through the correct elevation process to get it? How many people do you think are involved in approving the thousands of lines of sudo configuration that runs all this? Do you think it's just some sysadmin who makes it all up themselves? How quickly do you think the organisation would fail its audit if any of those things was true?

          But hey, thanks for calling me a fascist.

          1. Anonymous Coward
            Anonymous Coward

            Re: @tfb - Already patched in Slackware.

            And that leads on the path to Administration and another failure listed at Companies House.

        2. doublelayer Silver badge

          Re: @tfb - Already patched in Slackware.

          "It is not you alone that decides who is to be trusted and who's not, business has also a word to say."

          Methinks you misunderstood the main point. The main point was that giving unrestricted root access lets everyone with that access do anything. The business wouldn't want that. Nothing was said about the admins making all decisions; instead the admins would be better implementing a security policy limiting users' access to run stuff with root privileges.

          "Also, may I remind you the not so few cases in which a trusted sysadmin locked down networks and systems and denied legitimate users access ?"

          And how did they do that? By running commands as root. So if you give ten times as many people unrestricted root access, you have ten times as many people who could do something like that. And your disagreement with the original point was?

          1. Anonymous Coward
            Anonymous Coward

            @Doublelayer - Re: @tfb - Already patched in Slackware.

            My disagreement is written in the first quote. It's about who decides to trust who. Hint, the word "alone".

            As for the sysadmin locking legitimate users out, this is what happens when sysadmin decides he can't trust anybody else to come closer to his network/systems. If business decides to give ten other sysadmins the same level of privilege then that's it. The business is not really concerned with how many people have root privileges that will allow unrestricted access (otherwise they would never outsource systems administration). All they want is an environment where risks are managed and controls are in place and definitely not a place where a sysadmin consolidates his/her personal power.

  5. sbt
    Linux

    Linux? More like POSIX. If your OS is non-standard.

    Seems like this would affect any POSIX system with sudo, e.g. BSD, MacOS, etc.

    I'm a bit out of date, but running 1.7.10 here. Don't have the non-standard config, but still.

  6. Blackjack Silver badge

    This sounds more like a feature

    If you are the user if course.

  7. Anonymous Coward
    Anonymous Coward

    Don't forget about your Pi-Hole!

    Looks like Raspian (Debian for Raspberry Pi's) also received this update.

    (Although I'm not sure what effect the patch has on a system already running as root user?)

  8. J.G.Harston Silver badge

    If I want to do some admin tasks I log on as an admin user, into the admin user's environment, with ADMIN ADMIN ADMIN ADMIN ADMIN ADMIN plastered across the backdrop. Allowing non-admin users to temporarily do admin-permission tasks encourages laziness, sloppiness and mistakes.

    1. phuzz Silver badge

      As long as you're not lazy or sloppy when you configure sudo, then the user can only bugger up the part of the system that you've allowed them access to.

      Because yes, sometimes we have to let other people touch our precious servers.

    2. Anonymous Coward
      Anonymous Coward

      @J.G.Harston - This is where your competence and skills comes to play

      Allow users to do their work with temporary limited admin privileges while making sure there's no room for laziness, sloppiness and mistakes. Do this and you'll earn a lot a respect as a sysadmin. Keep in mind it's not your server that you are managing.

    3. teknopaul

      The thinking is that doing stuff that does not need to be done as admin as admin, e.g. cd, ls, less, makes mistakes more serious.

      Sudo can ask for a password if you want that.

  9. DontFeedTheTrolls
    Coat

    -1 you say?

    I know I'm a boring geek, but if I sit at 90 degrees am I elevated to the square root?

    1. This post has been deleted by its author

  10. STOP_FORTH
    Linux

    Suggestion

    Install Puppy Linux (or any of its relatives). Until fairly recently, everything was root by default. You bunch of wusses.

  11. mr-slappy

    The Real Issue

    I think we're all skirting around the real issue here. Is it pronounced soo-doh or soo-doo?

    I've always said soo-doh, although I'm not an admin.

    1. Anonymous Coward
      Alien

      Re: The Real Issue

      'sudoo': 'su and do something', not 'su and doh something', which would be some operation involved in bread making in a secure environment.

      But the right pronunciation is ultimately how people pronounce it, of course!

    2. Jay 2

      Re: The Real Issue

      To paraphrase a song by Prodigy "The sudo, who do, what you don't dare do people". So to me sudo rhymes with voodoo (acts similar too).

      1. This post has been deleted by its author

    3. Kiwi

      Re: The Real Issue

      I've heard somewhere that it was linked to "Pseudo".

      Not being the sort of person who really pays attention to these things (unless I really have trouble understanding what the thing is supposed to do), I have no idea as to the veracity of such a statement.

  12. Anonymous Coward
    Anonymous Coward

    If somebody really has that specific example in their sudo config, then bob pwns their box anyway, even after patching. As somebody else already wrote, you don't blacklist with sudo, you whitelist. with blacklisting, it's practically impossible to avoid holes. So I won't lose sleep over this.

    sudo -u alice vi

    :sh

    sudo -u root bash

  13. TheVogon

    "seeing as Sudo runs as root "

    SUDO always was a broken security model. We should adopt a proper constrained delegation model where accounts never have to run a user mode process with more rights than actually needed. The Windows security model does this well for instance

    1. Kiwi

      The Windows security model does this well for instance

      And where windoze fails, there's several 3rd-party options to secure your data.

      I hear some of those ransomware programs do a very good job of securing a user's data against their mistakes...

  14. Anonymous Coward
    Anonymous Coward

    "If you're interested, to plug the security hole, Sudo was tweaked to block -1 as a user ID."

    ...but still allowing user id '4294967295' ?

    <facepalm/>.

  15. LeahroyNake

    I am

    Groot.

    I have my coat, left 5 mins ago :p

    1. quxinot

      Re: I am

      That's quite a bit of lag.

  16. Dwarf
    Coat

    ku

    The missing privileged command in Linux, then we can all have fun with

    sudo ku

    Mines the one with a chapter of the system V manuals in my pocket - as the whole set wouldn't fit.

  17. Anonymous Coward
    Anonymous Coward

    Wierdo topic

    I don't know much about the top but it seem pretty bad at all to disallow -1. I don't know what happen if i do n-1 where n is root. So i tried at mac and it seems to work for any value where n is less then root id. So my question is. Does it fix at all this issue? Do we have any prove of concept that this solution works at all?

    I read the code and seems to be a 0day patch and they will sun drop a new release. Linus should correct or fix the bug at all without the any hard code for now

  18. rmstock

    There's more to this than meets the eye

    There's more to this than meets the eye. What was publicized was one of the longest living zero-days exploits out there. Apparently in only very peculiar sudo configurations this sudo zero-day exploit was able to run as root. To be honest i never had heard of sudo until i started installing ubuntu and debian based linux distros. These people most damned know more of the whole story. Also the diff file going from version 1.8.27 and 1.8.28 is suddenly more than a million miles of lines long. Why so ? There's more to hide within sudo ? Therefor here's my sudo contribution for older Linux versions :

    for Mandrake 10.1 and RedHat 7.3

    ftp://ftp.crashrecovery.org/pub/linux/sudo/RPMS/mdk101/

    Mandriva 2011

    ftp://ftp.crashrecovery.org/pub/linux/sudo/RPMS/mdv2011/

    1. jake Silver badge

      Re: There's more to this than meets the eye

      Yes, we know, sudo had to be configured (im)properly for the bug to manifest itself. Not sure where you have an issue with that. A bug was found. It's been swatted. There will be more bugs to swat, eventually. It's what we do. (TINW) ... Onwards.

      As for the diff file, I'm not sure what you are worried about. The tar archive for 1.8.28 is only about 0.5% (one half of one percent) larger than 1.8.27. The expanded archive is about 0.2% (two tenths of a percent) larger. This is easily within the range of what I would expect after reading (skimming, to be honest) the change log.

      1. rmstock

        Re: There's more to this than meets the eye

        $ tar xzpf sudo-1.8.27.tar.gz

        $ tar xzpf sudo-1.8.28.tar.gz

        $ diff -uNr sudo-1.8.27 sudo-1.8.28 > sudo.diff

        $ ls -l sudo-1.8.27.tar.gz sudo-1.8.28.tar.gz sudo.diff

        -rw-r--r-- 1 root root 3293178 Oct 16 15:18 sudo-1.8.27.tar.gz

        -rw-r--r-- 1 root root 3309744 Oct 16 15:15 sudo-1.8.28.tar.gz

        -rw-r--r-- 1 root root 3654730 Oct 26 19:08 sudo.diff

        $ wc -l sudo.diff

        92512 sudo.diff

        $

        So the diff file going from 1.8.27 to 1.8.28 is 92.512 lines long, I wonder what caused this .

        1. jake Silver badge

          Re: There's more to this than meets the eye

          "I wonder what caused this ."

          Did you bother looking at it?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like