Shulou(Shulou.com)06/01 Report--

This article analyzes "how to upgrade the current sudo version of Linux system". The content is detailed and easy to understand, and friends who are interested in "how to upgrade the current sudo version of the Linux system" can follow the editor's train of thought to read it in depth. I hope it will be helpful to everyone after reading. Let's learn more about "how to upgrade the current sudo version of the Linux system" with the editor.

Scenario 1: users do not have permission to execute root commands after ordinary users log in to shell, if they do not have the permission to access a file or execute a command, if the user is authorized by root, they can add sudo before the command to be executed, temporarily switch to the permissions of the root user, and complete the relevant operations. Before sudo was written around 1980, the general way of managing the system was to use su to switch to superuser. But one of the disadvantages of using su is that you have to tell the superuser's password first, while sudo allows the average user to gain privileges without knowing the superuser's password.

So which users can get root permission temporarily? This requires configuration in the / etc/sudoers file:

Authorization to a single user: in the above example:

Guohl: allow the user name of sudo ALL: allow the use of sudo (ALL) from any terminal (any machine): allow sudo commands to be executed with any user ALL: allow sudo authority to execute any command 1234 if we want user test to execute / bin/chown and / bin/chmod commands only on the local host (hostname guohl-pc) under the root account, then it should be configured like this: similar to authorizing a single user Just change the user name here to the% group name, and all users in this group are authorized according to this rule. For this example, all users in the sudo group have permission to execute any command (third ALL) on any terminal (the first ALL), as any user (the second ALL), and look at the / etc/group file to know which users belong to the sudo group.

For example:

If the current account is granted sudo permission in the / etc/sudoers file, you can use the root permission to execute any root command as an argument to the sudo command. For example, mounting a file system can only be performed by root, but an ordinary user can also mount it using sudo: the first use will require you to enter the current user's password, the system does enter the correct password to execute the mount command with root authority, and then use the sudo command again for a period of time (the default is 5 minutes) and you do not need to enter a password.

Scenario 2: forget to use sudo after editing vim

We often encounter such an embarrassing situation: use vim to edit a file, after editing, press ESC to return to normal mode, and then press: wq to save exit, found that there is no permission to modify the file, we forgot to add sudo in front of us when using the vim command. I often have this problem, the previous practice is not to save the forced exit, plus sudo re-editing.

But in the future, we no longer need to use such a stupid approach, we can in the normal mode of vim, press: W! sudo tee%, so you can root permission to save the file, you do not have to forget to add a sudo and frustrated!

Scenario 3: when we execute the root command and forget to add sudo, we will encounter a slightly better situation: enter a long command, press Enter and then have no permission to operate, because we forgot to add sudo. What most people do is press ↑ to go back to the previous command, add sudo before the command, and then execute the command.

In the future, we don't have to do this anymore, just type sudo! That's it, here! Stands for the previous order. Such as:

Scenario 4: how to use shell built-in commands sudoshell is an interactive application that creates a child process through fork when executing external commands, and then executes through exec programs that load external commands, but if a command is a shell built-in command, it can only be run directly by shell. Sudo means to fork a process with the privileges of another user (such as root), load the program and run it, so sudo cannot be followed by shell's built-in command, such as: in this case, we do not have a password for our root account, how can we execute this command? One way to do this is to use sudo to get permission for root shell, and then execute the command in root shell. It is easy to enter root shell, enter sudo bash to confirm the user's password, and you will find that the command prompt shows that it is currently root. Once you have root shell, you can execute any command without typing sudo before each command.

In addition, the commonly used shell built-in commands are briefly introduced here. We can use the type command to check the type of command, such as: in this case, we do not have a password for the root account, how can we execute the command? One way to do this is to use sudo to get permission for root shell, and then execute the command in root shell. It is easy to enter root shell, enter sudo bash to confirm the user's password, and you will find that the command prompt shows that it is currently root. Once you have root shell, you can execute any command without typing sudo before each command.

In addition, the commonly used shell built-in commands are briefly introduced here, and we can use the type command to see the types of commands, such as:

Scenario 5: sudo operation logging as an administrator of the Linux system, not only can specified users or user groups run certain commands as root users or other users, but also the commands and parameters entered by the specified users can be recorded in detail. The log function of sudo allows users to track commands entered by users, which can not only improve the security of the system, but also be used for troubleshooting. But there are some simple configurations needed to log sudo: resources:

Sudo mannual 7 Linux sudo Command Tips and Tricks sudo log configuration 2. Upgrade the official website of sudosudo under Linux reveals a high-risk vulnerability of the current sudo tool. The vulnerability number is CVE-2019-18634. Hackers can obtain the root permission of Linux through the tool (root has the highest permission of the Linux operating system). Sudo official website: https://www.baidu.com/link?url=uPPtTshELZs5FFJ9ZRoL7_TFdhQ2kUUFFaeRxc5O6ky&wd=&eqid=c8bdbe7c006e2eb9000000045e3ed4ca sudo is a widely used tool for Unix and Linux operating systems. This vulnerability is a stack buffer overflow bug, which is easily exploited in pwfeedback-enabled systems. This vulnerability makes it easy for unprivileged users to gain root privileges through buffer overflows, without requiring the attacker to have Sudo access.

Pwfeedback is not enabled by default in the upstream version of Sudo, but pwfeedback is enabled by default in downstream distributions such as Linux Mint and Elementary OS. The main affected version: from v1.7.1 to 1.8.25p1jiubuntu version is not affected by this vulnerability, the latest 1.8.31 has fixed this vulnerability, please update to the latest version in time.

1. Check to see if this vulnerability exists in your system.

1. Use the sudo-version command to view the version information of the current sudo.

$sudo-- version Sudo version 1.8.25p1Sudoers policy plugin version 1.8.25p1Sudoers file grammar version 46Sudoers pwfeedback O plugin version 1.8.25p12. Check whether pwfeedback is enabled via sudo-l. If the word "pwfeedback" exists, it means it is enabled, otherwise it is not enabled.

$sudo-l Matching Defaults entries for millert on linux-build:insults, pwfeedback, mail_badpass, mailerpath=/usr/sbin/sendmail User millert may run the following commands on linux-build: (ALL: ALL) ALL2. How to exploit this vulnerability 1. Versions prior to 1.8.26

By exploiting this vulnerability, users who do not need to log in have sudo privileges and can use pseudo terminals that cannot be written to pass an ultra-long string to sudo-k. The original text is The bug can be reproduced by passing a large input with embedded terminal kill characters to sudo from a pseudo-terminal that cannot be written to.

For example, using the socat utility and assuming the terminal kill character is set to control-U (0x15): $socat pty,link=/tmp/pty,waitslave exec: "perl-e'print ((\" A\ "x 100.chr (0x15)) x 50)'" & $sudo-S-k id

two。 In versions after 1. 8. 26, a very long string For sudo versions prior to 1. 8. 26, and on systems with uni-directional pipes, reproducing the bug is simpler. Here, the terminal kill character is set to the NUL character (0x00) since sudo is not reading from a terminal. This method is not effective in newer versions of sudo due to a change in EOF handling introduced in 1.8.26. $perl-e'print (("A" x 100.chr (0)) x 50)'| sudo-S-k id Password: Segmentation fault (core dumped)

3. Solution method

1. Temporary solution: modify the / etc/sudoers file, turn off the pwfeedback function, and put the following line in the file: Defaults pwfeedback

Change it to Defaults! pwfeedback, check our system.

2. Complete solution: upgrade the sudo of the system to the latest version 1.8.31 or above. two。 Download the latest installation package (1.8.28) wget http://www.sudo.ws/dist/sudo-1.8.28p1.tar.gz

3. Compile and upgrade the version of sudo # ls

[root@localhost / sudo-1.8.28p1] #. / configure-- prefix=/usr-- libexecdir=/usr/lib-- with-secure-path-- with-all-insults-- with-env-editor-- docdir=/usr/share/doc/sudo-1.8.28.p1-- with-passprmpt= "[sudo] password for% p:" & & make12

4. Installation

[root@localhost sudo-1.8.28p1] # make install & & ln-sfv libsudo_util.so.0.0.0 / usr/lib/sudo/libsudo_util.so.0 5. [root@localhost sudo-1.8.28p1] # sudo- version

Upgrade the version of sudo CVE-2019-14287:sudo permissions Bypass vulnerability Analysis and recurrence vulnerability Overview some users may know that if sudo is configured to allow users to run commands as arbitrary users through the ALL keyword defined in the Runas specification, then it will be possible for an attacker to execute malicious commands with root privileges by enacting user ID-1 or 4294967295. In fact, as long as the user's privileges are high enough, that is, the user with the highest sudo privileges, and the ALL keyword is defined in the Runas specification, they can run those root commands that are explicitly prohibited in the Runas specification, and commands that are run in this way have log entries that show a target user of 4294967295 instead of root. At the same time, the PAM session module will not run during the execution of the appropriate command.

The full name of Sudo is "superuserdo". It is a Linux system management instruction that allows users to run applications or commands with the privileges of other users without switching environments. Commands are typically run as root users to reduce login and administration time for root users and to improve security. On October 14, 2019, Sudo officially released Sudo version 1.8.28, which included a patch fix for the sudo root privilege bypass vulnerability (CVE-2019-14287). The vulnerability CVE number assigned by CVE ID CVE to this vulnerability is CVE-2019-14287. Vulnerability detail analysis in general, the Runas specification (/ etc / sudoers) of most Linux distributions is shown in the following figure, where the defined ALL keyword allows a user in the admin or sudo group to run a command as any user in the target system: if the vulnerability is to be exploited, the user needs to have sudo privileges and allow the user to run the command using any user ID. In general, this means that the user's sudoer entry defines a special all value in the Runas specification. If sudoer policy allows, sudo supports running commands with a user name or user ID specified by the user. For example, the following sudoer entry allows us to run the id command as any user because it includes the ALL keyword in the Runas specification. Alice myhost = (ALL) / usr/bin/id in addition to running the id command as any valid user, we can also run the command as any user ID, where we need to use the # uid statement: sudo-user 1234 id-u this command will return "1234". However, sudo can use two system calls, setresuid (2) and setreuid (2), to modify the user ID before the command runs and change the user ID to-1 (or the unsigned equivalent user ID-4294967295): sudo-uplink 1 id-u or sudo-uplink 4294967295 id-u will return "0" after the above command runs. This is because the sudo command itself is already running as user ID "0", so nothing changes when sudo tries to change user ID to "- 1". However, the command running user's ID recorded in the sudo log entry is "4294967295", not the root user (or user ID is "0"). In addition, because the user ID is specified through the-u option and is not stored in the password database, the PAM session module will not run. If the sudoer entry allows the user to run commands (not root) as any user, then an attacker can exploit this vulnerability to bypass this restriction. For example, we have the following sudoer entry: bob myhost = (ALL,! root) / usr/bin/vi user bob can run the command vi as any user other than root, but because of this vulnerability, bob can actually run the vi command with root privileges with the following command And bypass the security policy in the target system: sudo-uplink vi this vulnerability exists only if the sudoer entry containing the ALL keyword exists in the Runas specification. For example, if the specification contains the following sudoer entry, the target system will not be affected by this vulnerability: alice myhost = / usr/bin/id in the above example, alice can only run id commands with root privileges, and any attempt to run the command as a different user will be rejected. Screenshot of attack scenario: vulnerability recurrence screenshot: affected Sudo version number vulnerability repair Sudo v1.8.28 has fixed this vulnerability. It is recommended that Linux users manually update the sudo package to the latest version as soon as possible.

The versions of Linux are: Deepin, UbuntuKylin, Manjaro, LinuxMint, Ubuntu and so on. Among them, Deepin is one of the best-developed Linux distributions in China; UbuntuKylin is a derivative release based on Ubuntu; Manjaro is a Linux release based on Arch; LinuxMint's default Cinnamon desktop is similar to Windows XP's easy-to-use; Ubuntu is the Linux operating system based on desktop applications.

On how to upgrade the current sudo version of the Linux system is shared here, I hope that the above content can make you improve. If you want to learn more knowledge, please pay more attention to the editor's updates. Thank you for following the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.