We had two Soylentils write in to inform us of a serious bug in sudo.
See the web site Potential bypass of Runas user restrictions and CVE-2019-14287 for examples and details.
Unsigned int in sudo allows Linux privilege escalation
Time to fire up your favorite package manager. Joe Vennix, a researcher from Apple, has discovered an unsigned variable was used for uid in sudo prior to version 1.8.28, allowing a user to specify -1 or 4294967295 as the uid. This then defaults to uid 0, but since this doesn't exist in the database no PAM modules are run. This only works for users with sudo rights, but works even if root is explicitly prohibited. See CVE-2019-14287 for more details.
sudo escalation - interesting bug
A freshly-discovered bug in sudo allows escalation to root for any entries with runas ALL configured. Bug has been present for years.
https://seclists.org/oss-sec/2019/q4/18
(Score: 2) by Mojibake Tengu on Tuesday October 15 2019, @03:27PM (27 children)
Linux did very bad by demolition of ancient operator concept. Minds of later generations are spoiled now.
Respect Authorities. Know your social status. Woke responsibly.
(Score: 3, Funny) by Anonymous Coward on Tuesday October 15 2019, @03:35PM (13 children)
We should all ditch Linux for the more secure and trustworthy Windows 10 right now.
(Score: 3, Insightful) by The Mighty Buzzard on Tuesday October 15 2019, @03:38PM (3 children)
Nah, DOS. If you only have one user, it's utterly unpossible to run something as a more privileged user.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday October 15 2019, @04:18PM (1 child)
Only browsers get run as a limited user.
(Score: 0) by Anonymous Coward on Wednesday October 16 2019, @12:18AM
FTFY
(Score: 3, Touché) by inertnet on Tuesday October 15 2019, @06:57PM
Don't let the SJW's find out about them, or privileged users will be forbidden for us ordinary people.
(Score: -1, Disagree) by Anonymous Coward on Tuesday October 15 2019, @03:46PM (4 children)
Microsoft would disagree completely. Really.
https://support.microsoft.com/en-us/help/2941892/support-for-linux-and-open-source-technology-in-azure [microsoft.com]
https://en.wikipedia.org/wiki/Windows_Subsystem_for_Linux [wikipedia.org]
Also, that dead horse you are beating ... it died almost 20 years ago. Today, Microsoft is largest open source contributor,
https://www.techrepublic.com/article/microsoft-may-be-the-worlds-largest-open-source-contributor-but-developers-dont-yet-care/ [techrepublic.com]
(Score: 5, Insightful) by Sourcery42 on Tuesday October 15 2019, @05:11PM (3 children)
Can't tell if you're trolling, a shill (seriously, why bother here?), making a joke that is going way over my head, or just really out of the loop. Possibly turning over a new leaf very recently, not two decades ago, just doesn't excuse decades of anti-competitive bullshit and downright evil fuckery. Twenty years ago they were still in throes of publishing the reports that would come to be known as the Halloween Documents https://en.wikipedia.org/wiki/Halloween_documents. [wikipedia.org] Then there's all the FUD they spouted when they had their arm up SCO's ass using them as a sockpuppet patent troll. That kind of shit just doesn't wash off because of some github commits to make pet projects work better on your own platform. We are wary and distrustful for exceedingly good reasons.
(Score: 4, Insightful) by Gaaark on Tuesday October 15 2019, @09:34PM
Also suing small companies like Tom-tom saying "You're using Linux and that violates, what... 11 of our patents? No...we won't tell you WHICH patents we're making up, errrr...it violates. Give us the blackmail money....errrrr...the patent licensing money, or we'll take you to court."
I wish a large company like google would back the smaller company financially and go to court so we could see the man behind the curtain.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 1, Interesting) by Anonymous Coward on Wednesday October 16 2019, @04:11AM (1 child)
Microsoft's later fuckery is much, much worse than the Halloween Documents. They've been working with Saudi and Qatari intelligence to monopolize and censor the internet, DDOS independent sites, destroy the education system, and bill it all to the US, UK, and Israeli governments as national security work.
Remember Gamergate? That was Microsoft [deepfreeze.it] pipelining a Saudi spy ring into the US Army's computerized training programs that Microsoft knew would be developed in the future because Microsoft was running the Serious Games Association. Microsoft and its PR agents from USC were running the gaming press and the indie games festivals so their own developers could promote each other and give themselves awards and make celebrities of the people who they wanted to infiltrate the Army training program. Microsoft planted the fake New York Times headline calling the people discussing the news a harassment campaign, while at the same time Microsoft organized a fake "Anonymous" hacking and harassment campaign against everyone discussing the news. Microsoft brought Brianna Wu to Microsoft HQ to recruit her as a professional troll. People noticed that the trolls were all goons with their unique gender bullshit, so Microsoft and the Gates Foundation (in charge of Common Core) changed the schoolbooks to replace basic biology and sex ed with the trolls' gender bullshit so people would side with the trolls. Microsoft's top open source strategists went around the Middle East with Shanley Kane before they came back to the US and threw money around to install her and her friends at the top of the most important open source projects and Wikipedia.
People used to say that Bill Gates was evil. I thought that was just edgy teenage exaggeration, but holy shit is he evil. If they can do all this and get away with it, they're probably using their telemetry to spy on every Windows user and share their findings with their foreign partners. There is nothing stopping them.
(Score: 0) by Anonymous Coward on Wednesday October 16 2019, @08:05PM
soon we will have wars against tech companies.
(Score: 2) by DannyB on Tuesday October 15 2019, @05:58PM (3 children)
Why not the more secure Windows 3.1?
It didn't have intarwebs access. Not unless you jumpt through a lots of hoops to add it.
Apart from processor ISA, Win 3.1 would probably run on a modern microcontroller. It has clock, calendar, file manager, program manager, notepad, basically everything you need. If you can't do anything useful, and cannot access the intarwebs, then it seems pretty secure.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by RS3 on Tuesday October 15 2019, @11:30PM (2 children)
I used to browse the web on Win3.11. The IP "stack" was easy, but IIRC NCSA Mosaic was the only browser that I knew of initially, then Netscrape came along, but all of the above crashed a lot, for me anyway. I quickly jumped into Linux at that point.
Now you have me wondering if Win 3.1 would run on a "modern" MB. Evidently yes: http://yeokhengmeng.com/2016/09/windows-for-workgroups-3-11-on-vintage-and-modern-hardware-in-2016/ [yeokhengmeng.com]
(Score: 2) by Runaway1956 on Wednesday October 16 2019, @03:34PM (1 child)
Nostalgia. I unearthed an unused copy of Windows 1.something, and thought it was a kinda cool thing. Then a copy of Win 2.something. In both cases, reading the documentation was more worthwhile than actually using the Windows. Never saw Win3, instead, I stumbled over 3.11. I'm not sure if networking ever actually worked properly but I had fun with it. Of course, I never had an actual internet portal until Win95 came along, and I "pirated" it.
To be perfectly honest, I had some DOS menu application which was more functional than any of Win1/2/3. DamnifIrecall the name of the program, but I could point it to any and all installed DOS programs, or to executables anywhere on hard drive. It created shortcuts, and searched the executable for an icon to use, and failing that, it offered a few different generic icons. Supply any needed arguments, and you were set to go with a nice professional looking menu system. Redundancy? Oh yes, just fire up Win3.11, add a menu item in Windows for the menu program, then go to the menu program, and create a link to Windows. I managed to run out of memory very quickly, LOL!!
(Score: 2) by RS3 on Thursday October 17 2019, @07:23PM
3.11 was just 3.1 with MS peer-to-peer networking, and therefore a bit less available RAM. It always felt a bit slower on the same hardware. Even with straight 3.1 you could install 3rd-party network software to run an IP "stack", either over Ethernet or RS232 / modem (ppp or slip for Windows). I forget which one I used mostly...
In those days I mostly used Windows as a multi-session DOS machine. I still had and used mostly DOS-based software, WordPerfect, Borland C 3.1 and 4.5 for sure. I forget what else... Maybe someday I'll fire up one of my old machines if the disks still work...
Somewhat funny story- my first copy of Windows 3.1 came with a legit mouse purchase at a major legit brick-and-mortar store. Years later I heard / found out those were bootleg copies.
Yes, I remember many DOS menu utilities. I rarely used them, but I think Norton had one. And I remember some like you described for Windows, finding icons, etc.
I also bought Qemm / DesqView https://en.wikipedia.org/wiki/DESQview [wikipedia.org] which was awesome, but by then I was migrating into Linux.
Yeah, RAM was small and expensive! I remember a company I worked for in the 90s, maybe 1996, buying 2 8 MB sticks, or maybe they were 16 MB, anyway, I think it was more than $1,000.
I used Qemm and other memory managers and lots of tweaks to maximize available RAM. I still do that- mostly turning OFF lots of stupid Windows processes. I tweak Linux similarly, which is why I hate and won't use systemd- too much trouble, and _I_ want to be in control of _my_ computer.
(Score: 2) by RamiK on Tuesday October 15 2019, @03:56PM
This got addressed in plan9 with namespaces and hostowners but I'm not sure it got any better if being perfectly honest.
compiling...
(Score: 3, Funny) by JoeMerchant on Tuesday October 15 2019, @04:19PM (1 child)
And the majority of users are....?
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Tuesday October 15 2019, @11:36PM
Pick me! Pick Me! I know!
A Children's Toy!
(Score: 3, Informative) by DannyB on Tuesday October 15 2019, @06:00PM
Sometimes children may be known to find an adult toy and think it is a children's toy. But like sudo, it is an adult toy, not a children's toy. The sudo is for grown ups to delete their root filesystem. Not for children.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 1) by fustakrakich on Tuesday October 15 2019, @06:22PM (1 child)
What's the big deal? I just login as root. Who can escalate above that?
La politica e i criminali sono la stessa cosa..
(Score: 4, Funny) by The Mighty Buzzard on Tuesday October 15 2019, @06:40PM
The NSA.
My rights don't end where your fear begins.
(Score: 3, Funny) by All Your Lawn Are Belong To Us on Tuesday October 15 2019, @08:45PM (6 children)
That's my problem.
Here I'd been telling my wife, "Sudo Make Me a Sandwich [xkcd.com]" and she wasn't doing it.
I needed to be saying, "Sudo Make Me A Sandwich -v -u #-1". I can't wait to try it out tonight!
This sig for rent.
(Score: 3, Funny) by Gaaark on Tuesday October 15 2019, @09:41PM (3 children)
I already tried it with your wife, but she didn't want me to lose my "longest UPtime" award.
:)
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2, Touché) by Anonymous Coward on Tuesday October 15 2019, @11:24PM (1 child)
Try...
sudo unzip head ifup mount tail ifdown touch pipe && biff until ifup && watch until reset
(Score: 0) by Anonymous Coward on Wednesday October 16 2019, @12:14AM
Kernel panic: not syncing
(Score: 2) by All Your Lawn Are Belong To Us on Wednesday October 16 2019, @04:25PM
Damn!
This sig for rent.
(Score: 3, Funny) by Runaway1956 on Wednesday October 16 2019, @03:38PM
It might work better if you were married to a girl named SUDO. ETHEL just doesn't seem to respond very well to SUDO.
(Score: 2) by All Your Lawn Are Belong To Us on Wednesday October 16 2019, @04:42PM
I tried it last night.
Unfortunately her head exploded.
Anybody got a replacement for me?
This sig for rent.
(Score: 0) by Anonymous Coward on Tuesday October 15 2019, @03:49PM (8 children)
I remember all the vulns in sudo around the millennium, so I stuck with su and abuse from *experts* that I was somehow doing it all wrong. Wonder if any of these *experts* run multi-user systems?
(Score: 2) by FatPhil on Tuesday October 15 2019, @04:23PM (1 child)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Tuesday October 15 2019, @06:01PM
That's nice but you (sensibly) [cvedetails.com] have it locked down and I also don't get the impression you'd ever be lecturing me to stop using su.
(Score: 2) by DannyB on Tuesday October 15 2019, @06:01PM (4 children)
Have you ever tried simply: sudo bash
??
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 0) by Anonymous Coward on Tuesday October 15 2019, @06:14PM (1 child)
No but I bash sudo on a regular basis.
(Score: 3, Touché) by DannyB on Tuesday October 15 2019, @08:41PM
So you mean: sudo bash sudo
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by rob_on_earth on Wednesday October 16 2019, @09:32AM (1 child)
My goto on an Ubuntu system is
sudo -s
avoids
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
sudo etc...
(Score: 1, Informative) by Anonymous Coward on Wednesday October 16 2019, @09:44PM
su -
(Score: 1, Insightful) by Anonymous Coward on Tuesday October 15 2019, @08:25PM
I remember when everyone was saying you should do things with sudo instead of running as root. It always seemed like a stupid idea to me. Either you know what you’re doing and you should have root, or you practice breaking a junk system until you do.
This one got solidified for me when I saw that everyone new to *nix was indeed learning the “right” way to do things: Someone in one of my math labs at university prefixed *every* command with “sudo”. I asked why, he said “that’s how you run commands in Linux!”.
sudo ls, sudo cd, sudo octave, so forth.
(Score: 3, Interesting) by rigrig on Tuesday October 15 2019, @03:56PM (8 children)
This is getting a lot more attention than I was expecting.
Are there really that many systems around which have sudo set up to allow users to run commands as any arbitrary user except root?
Also: one of the obligatory xkcd links [xkcd.com] (I checked, and yes, man sudoers still contains a Quick guide to EBNF section)
No one remembers the singer.
(Score: 3, Informative) by The Mighty Buzzard on Tuesday October 15 2019, @04:10PM (6 children)
Abso-fucking-lutely. Tech support guys for one. I don't care if a college kid nukes one user's /home directory or mail spool accidentally but they damned sure don't need to be running anything as root. Or if they do it needs to be from an explicitly whitelisted set of commands.
My rights don't end where your fear begins.
(Score: 2) by RS3 on Tuesday October 15 2019, @07:02PM (5 children)
Whitelist = {things not in /sbin or /usr/sbin}, for example. At least, that was the concept. Now...
(Score: 2) by The Mighty Buzzard on Tuesday October 15 2019, @07:34PM (4 children)
I'm generally more picky about what I let them run as root. If the executable is always going to have the same arguments, full path and arguments. Otherwise, full path. Zero privileges they don't actually need. The closer they get to admin the less picky I am though.
My rights don't end where your fear begins.
(Score: 2) by HiThere on Tuesday October 15 2019, @09:16PM
Depends on the use case. I had a system where the login shell was to a database program that I wrote. That was the appropriate approach for that system. Others...others are a lot more flexible. Many I just had an install DVD that was used if they bork the system. For other use cases intermediate approaches are appropriate.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 3, Informative) by RS3 on Tuesday October 15 2019, @11:39PM (2 children)
Yes, absolutely. I was too terse. I meant that in the good old days, admin-only stuff was in /sbin, /usr/sbin, and "regular" users had no access. I'm now noticing on several distros that regular users have lots of xr in /sbin and /usr/sbin - but not everything fortunately. And maybe too many adminy things are in /bin and /usr/bin. Not sure if that's intentional or laziness... But yes, the lines are somewhat fuzzy depending on the who. For most of the systems I admin, I and the owner are the only people logging in cli.
(Score: 2) by The Mighty Buzzard on Wednesday October 16 2019, @02:06AM
Yeah, I gotta say I do miss that.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Wednesday October 16 2019, @03:33PM
Poettering has decided that is so dumb.
(Score: 0) by Anonymous Coward on Tuesday October 15 2019, @09:56PM
For those who are curious: https://manpages.debian.org/buster/sudo/sudoers.5.en.html#SUDOERS_FILE_FORMAT [debian.org]
(Score: 0) by Anonymous Coward on Tuesday October 15 2019, @04:02PM (17 children)
1.8.28 is not available on my Ubuntu server as of right now. The latest available is 1.8.27
:(
I consider this a problem worthy of an immediate patch and reboot cycle of my production server, but it's not available to me.
(Score: 2) by The Mighty Buzzard on Tuesday October 15 2019, @04:12PM (8 children)
Easy, though possibly painful, fix: temporarily disable sudo-ing to any arbitrary user.
My rights don't end where your fear begins.
(Score: 3, Insightful) by NotSanguine on Tuesday October 15 2019, @05:59PM (7 children)
I limit sudo to members of the 'wheel' group.
If you can't trust those with 'su' access to use 'sudo' responsibly, you're screwed anyway.
While there are many scenarios which require folks to execute commands as a specific (potentially different) user, none of those currently exist on my systems.
I'd also point out that this is a *local* privilege escalation so, unless this issue is combined with a remote execution vulnerability, only valid users with /etc/sudoers entries can exploit it.
Limit sudo access to local *interactive* users (e.g., not 'apache', 'nginx', and/or 'mysql', etc.) and only give them rights to execute the *specific* commands they require. Also, until patched versions are available, monitor sudo usage closely.
Anyone exploiting this vulnerability is likely breaking corporate/organizational policies and/or the CFAA [wikipedia.org] and should be dealt with accordingly.
tl;dr: The impact of this vulnerability can be mitigated with good security practices/policies.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 3, Informative) by loonycyborg on Tuesday October 15 2019, @06:24PM (5 children)
Patched version is already available. In fact generally they don't disclose such vulnerabilities until they're fixed upstream and such fixes always are a priority for distros. For example it's already fixed in Debian.
(Score: 3, Interesting) by NotSanguine on Tuesday October 15 2019, @06:43PM (4 children)
As has been reported by two different posters, it is not *yet* available on Ubuntu or Fedora.
And yes, the custom is to report the vulnerability *privately* and give the developers 90 days to fix the problem before making it public.
According to Mitre [mitre.org], this CVE was allocated on 27 July 2019. That's less than 90 days, so it's likely there is a fix (did not read TFA, although I did check out the CVE entry) as you mentioned.
When that fix will be available as a binary update (sorry, recompiling sudo for production systems is a non-starter) for most distributions is unclear/unknown. Hopefully it will be very soon.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Wednesday October 16 2019, @03:42PM (3 children)
So you have a security issue, a known fix, and the source for your distribution, and you wait to be spoonfed with a binary? Either the issue is not important or you are a pussy. Or both.
(Score: 0) by Anonymous Coward on Wednesday October 16 2019, @08:36PM (2 children)
I'm sorry. It must be difficult being so ignorant.
I hope (for your employer/clients sake) you're not involved in IT.
(Score: 0) by Anonymous Coward on Thursday October 17 2019, @04:41AM (1 child)
I hope for your client's sake you aren't.
(Score: 0) by Anonymous Coward on Friday October 18 2019, @03:42PM
"I know you are, but what am I?"
"Stop hitting yourself!"
"Nyah, Nyah, Nyah, Nyah, Nyah!"
Please.
(Score: 3, Interesting) by The Mighty Buzzard on Tuesday October 15 2019, @06:48PM
I do as well on simple systems. If you have web devs who might need to bounce apache, a group of SN devs who need to be able to sudo -u slash -i, or an IRC admin who might need to sudo -u sylnt -i? That's another story. Needing to be able to sudo -u $everyonebutroot is going to be limited to operators who aren't administrators, tech support, and the like. Or excessively paranoid bastards who don't allow anyone to sudo to root.
My rights don't end where your fear begins.
(Score: 2, Funny) by Anonymous Coward on Tuesday October 15 2019, @04:13PM (1 child)
(Score: 0) by Anonymous Coward on Wednesday October 16 2019, @12:26AM
(Score: 4, Insightful) by FatPhil on Tuesday October 15 2019, @04:18PM (2 children)
If you do, then you are more of a problem than sudo is.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Tuesday October 15 2019, @04:44PM (1 child)
Perhaps I misread the bulletin. I interpreted it as anyone being able to run sudo and just tell it to use ALL and specify the UID and boom. Insta-root. My config is default. So perhaps I'm not vulnerable.
(Score: 2, Informative) by Anonymous Coward on Tuesday October 15 2019, @05:36PM
The bug happened because the setresuid syscall interprets a uid of -1 as a magic value meaning "do not change the user id", which in the case of sudo (since it is running as root in the first place) means "changing" to a uid of -1 is equivalent to "changing" to a uid of 0.
But if you configure access to permit a user to run commands as "any user-specified uid except 0", this does not actually prevent running commands as uid 0 because -1 (which is equivalent) is not restricted.
(Score: 0) by Anonymous Coward on Tuesday October 15 2019, @05:39PM (1 child)
The same is true for Fedora as of 15 October 2019 @17:39:10 GMT
(Score: 0) by Anonymous Coward on Wednesday October 16 2019, @02:31AM
I just checked again and sudo v1.8.28 is now included in the Fedora 30 Updates repo (package: sudo-1.8.28-1.fc30.x86_64).
(Score: 0) by Anonymous Coward on Tuesday October 15 2019, @06:28PM
If it worries you that much it will take you 2 minutes to compile&install from source
(Score: 4, Funny) by Bot on Tuesday October 15 2019, @04:41PM
It is a delicate binary. In Italian sudo means *I sweat*, while su means *up*. So I guess su is an etymologically safer alternative.
You might be wondering what names have to do with the mechanical execution of code. The answer is "nothing" but since the trend is towards codes of conduct and politics I thought I might as well do some cultural excursus.
Account abandoned.
(Score: 1, Insightful) by Anonymous Coward on Tuesday October 15 2019, @05:50PM (2 children)
i am sure there are bunch of angry people right about now. not because the bug was report but because the bug was found.
obviously "-1" got typod at least once with a beer can in hand in the last 20 years somewhere ...
(Score: 2) by takyon on Tuesday October 15 2019, @06:56PM (1 child)
Bug finding is a threat to national security. If the bugs get fixed, we can't use them as exploits. All coders and hackers must be placed under constant surveillance. Recommend providing free bugged (the other kind) sex bots.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by stretch611 on Wednesday October 16 2019, @12:17AM
Bill Barr... Is that you???
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 2) by pvanhoof on Tuesday October 15 2019, @05:57PM (3 children)
What was the idea of using unsigned int here? Why not just use a 64bit number? Where they trying to safe bits or something? Even a normal int would probably have been sufficient. I'm sure sudo doesn't need to support 2,147,483,647 users. With a 64bit signed int you could support about the amount of users as there are molecules in the visible universe. So if the kernel has the UID number as a unsigned int, then a 64bit int is far far more than plenty.
This sudo binary is a userland thing that uses +s UNIX rights, I guess. Why is there still userland software that ain't simply using 64bit ints for everything?
I'm sure a bunch of old farts will tell me to get of their yard and muck about how superior saving bits is. But really. For sudo's binary? Why?
(Score: 2, Informative) by Anonymous Coward on Tuesday October 15 2019, @06:12PM
id_t is, uid_t and gid_t are 32-bit unsigned.
History and compatability.
(Score: 0) by Anonymous Coward on Tuesday October 15 2019, @06:46PM
You probably like systemd too.
(Score: 1, Informative) by Anonymous Coward on Tuesday October 15 2019, @08:16PM
This bug has absolutely nothing to do with 'unsigned int'. Using a larger int (signed or otherwise) would not avoid this bug. The headline is, at best, misleading.
The bug is simply because the setresuid system call supports magic uid values which cause it to do something different from what it normally does. In this case, the magic value is -1 (equivalently: 4294967295) which causes the system call to NOT change the relevant uid. The implementation allowed, in some circumstances, the user to supply this magic uid value. Presumably the fix was simply to have sudo reject all attempts to set the uid to this magic value regardless of the configuration.
This only matters in an IMO rather strange configuration where for some reason the user is permitted to run a command as "any uid except 0", and this bug means the "except 0" restriction can be deliberately bypassed. More typical sudo configurations are either "run as any uid" (in which case this bug doesn't matter) or "run as {some specific set of uids}" in which case this bug also doesn't matter.
(Score: 0) by Anonymous Coward on Tuesday October 15 2019, @06:03PM (1 child)
I know runas soylentnews.
(Score: 3, Funny) by The Mighty Buzzard on Tuesday October 15 2019, @06:51PM
You're already UID 1, do you really need to be one less?
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday October 15 2019, @07:31PM (1 child)
sudo -i
Cuz it's how I roll
(Score: 2) by The Mighty Buzzard on Tuesday October 15 2019, @07:36PM
Save time, put it in your .bashrc
My rights don't end where your fear begins.
(Score: 3, Insightful) by corey on Tuesday October 15 2019, @08:38PM
Should've written it in Ada.