Monday, March 8, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Linux security hole: Much sudo about nothing

October 16, 2019
in Internet Security
Linux security hole: Much sudo about nothing
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Linus Torvalds has no problem with Microsoft
ZDNet’s Steven J. Vaughan-Nichols talks with Karen Roby about why no company can ever rule Linux. Read more: https://zd.net/31dQTiV

There’s a lot of hubbub out there now about a security hole in the Unix/Linux family’s sudo command. Sudo is the command, which enables normal users to run commands as if they were the root user, aka the system administrator. While this sudo security vulnerability is a real problem and needs patching, it’s not nearly as bad as some people make it out to be.

You might also like

Maza Russian cybercriminal forum suffers data breach

Okta and Auth0: A $6.5 billion bet that identity will warrant its own cloud

CISA issues emergency directive to agencies: Deal with Microsoft Exchange zero-days now

At first glance the problem looks like a bad one. With it, a user who is allowed to use sudo to run commands as any other user, except root, can still use it to run root commands. For this to happen, several things must be set up just wrong. 

First the sudo user group must give a user the right to use sudo but doesn’t give the privilege of using it to run root commands. That can happen when you want a user to have the right to run specific commands that they wouldn’t normally be able to use.  Next, sudo must be configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification. 

The last has always been a stupid idea. As the sudo manual points out, “using ALL can be dangerous since in a command context, it allows the user to run any command on the system.” In all my decades of working with Linux and Unix, I have never known anyone to set up sudo with ALL. 

That said, if you do have such an inherently broken system, it’s then possible to run commands as root by specifying the user ID -1 or 4294967295. Thus, if the ALL keyword is listed first in the Runas specification, an otherwise restricted sudo user can then run root commands.

Scary? Not really. It’s pretty much a useless vulnerability. It won’t mess you over if you have a fouled up sudo installation and the attacker is already a sudo user. 

As Yanick Fratantonio, a security expert and assistant professor at EURECOM, tweeted, “this sudo bug thingy is being extremely overhyped. I mean, it’s a cool bug, but it seems relevant only in very very specific situations.” 

And those, I might add, are ones you may never see in your Linux system administration life. That said, you should still patch sudo. Even unlikely bugs can still bite you. Patches should soon be available in all Unix and Linux distributions.

Related Stories:


Credit: Zdnet

Previous Post

Firefox Blocks Inline and Eval JavaScript on Internal Pages to Prevent Injection Attacks

Next Post

CNN.com receives first Verified Mark Certificate in preparation for BIMI email standard

Related Posts

Maza Russian cybercriminal forum suffers data breach
Internet Security

Maza Russian cybercriminal forum suffers data breach

March 7, 2021
Okta and Auth0: A $6.5 billion bet that identity will warrant its own cloud
Internet Security

Okta and Auth0: A $6.5 billion bet that identity will warrant its own cloud

March 7, 2021
CISA issues emergency directive to agencies: Deal with Microsoft Exchange zero-days now
Internet Security

CISA issues emergency directive to agencies: Deal with Microsoft Exchange zero-days now

March 7, 2021
Linux distributions: All the talent and hard work that goes into building a good one
Internet Security

Linux distributions: All the talent and hard work that goes into building a good one

March 7, 2021
Check to see if you’re vulnerable to Microsoft Exchange Server zero-days using this tool
Internet Security

Check to see if you’re vulnerable to Microsoft Exchange Server zero-days using this tool

March 7, 2021
Next Post
CNN.com receives first Verified Mark Certificate in preparation for BIMI email standard

CNN.com receives first Verified Mark Certificate in preparation for BIMI email standard

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Machine Learning Patentability In 2019: 5 Cases Analyzed And Lessons Learned Part 4 – Intellectual Property
Machine Learning

Podcast: Non-Binding Guidance: FDA Regulatory Developments In AI And Machine Learning – Food, Drugs, Healthcare, Life Sciences

March 8, 2021
Here’s an adorable factory game about machine learning and cats
Machine Learning

Here’s an adorable factory game about machine learning and cats

March 8, 2021
How Machine Learning Is Changing Influencer Marketing
Machine Learning

How Machine Learning Is Changing Influencer Marketing

March 8, 2021
Video Highlights: Deep Learning for Probabilistic Time Series Forecasting
Machine Learning

Video Highlights: Deep Learning for Probabilistic Time Series Forecasting

March 7, 2021
Machine Learning Market Expansion Projected to Gain an Uptick During 2021-2027
Machine Learning

Machine Learning Market Expansion Projected to Gain an Uptick During 2021-2027

March 7, 2021
Maza Russian cybercriminal forum suffers data breach
Internet Security

Maza Russian cybercriminal forum suffers data breach

March 7, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Podcast: Non-Binding Guidance: FDA Regulatory Developments In AI And Machine Learning – Food, Drugs, Healthcare, Life Sciences March 8, 2021
  • Here’s an adorable factory game about machine learning and cats March 8, 2021
  • How Machine Learning Is Changing Influencer Marketing March 8, 2021
  • Video Highlights: Deep Learning for Probabilistic Time Series Forecasting March 7, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates