Hector Martin

Can we please stop talking about that sudo bug? It only affects systems using an insane configuration (allow $command as anyone *but* root). I can't come up with any situation where that configuration makes any sense (vs e.g. "allow $command as any member of a given group).

I wouldn't be surprised if the number of systems affected by the vuln that *aren't* already intrinsically vulnerable to nasty privescs because the configuration is a terrible idea when working as intended is, well, essentially 0.

Since people still don't understand the vulnerable config: you have to allow $someone to sudo into *ANY USER* (not one specifically, *ANY*), which means giving them root, and then add an *exception* to take root away (but still let them become *any* other user).

To illustrate why this is a ridiculous idea and gives you root anyway even if sudo didn't have the bug: 'adm' is a member of 'disk' which can write to raw block devices, so you can just sudo to 'adm' instead of root and edit the sudoers file, or give suid to /bin/sh.

this assumes there an adm user. [bts@cylon ~]$ grep adm /etc/passwd [bts@cylon ~]$

It's an example, I'm sure you can find your own root-equivalent user on your system if you go looking.

nope. this is typically added by certain distros; it's not universal. [bts@cylon ~]$ grep disk /etc/group disk:x:6:root [bts@cylon ~]$ grep disk /etc/passwd [bts@cylon ~]$