Latest in Gear

Image credit: die-phalanx via Getty Images

One of Linux's most important commands had a glaring security flaw

Sudo fix my vulnerability.
1377 Shares
Share
Tweet
Share
Save

Sponsored Links

die-phalanx via Getty Images

If you've used the command line in Linux or a Unix-based platform like macOS, you're probably familiar with the "sudo" command -- it lets you run tasks with different (usually elevated) permissions than you'd otherwise have. It's powerful, but it was apparently too powerful until now. Developers have fixed a flaw in sudo that let you claim root-level access even if the configuration explicitly forbids it. So long as an intruder had enough access to run sudo in the first place, they could perform any action they wanted on a given machine.

The quirk revolved around sudo's treatment of user IDs. If you typed the command with a user ID of -1 or its unsigned equivalent 4294967295, it would treat you as if you had root access (user ID 0) even as it recorded the actual user ID in the log. The user IDs in question don't exist in the password database, either, so the command won't require a password to use.

Linux users can update to a newer sudo package (1.8.28 or later) to fix the flaw. You might not be immediately vulnerable, as any attacker will need to have command line control over your system before they can even consider exploiting the flaw -- at that point, you probably have larger problems. Still, it's not entirely comforting to know that such an important command was vulnerable.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
1377 Shares
Share
Tweet
Share
Save

Popular on Engadget

Readers weigh in on what makes the OnePlus 7 Pro a worthy contender

Readers weigh in on what makes the OnePlus 7 Pro a worthy contender

View
Magic Leap reportedly only sold 6,000 AR headsets in six months

Magic Leap reportedly only sold 6,000 AR headsets in six months

View
AI-powered Lego sorter knows the shape of every brick

AI-powered Lego sorter knows the shape of every brick

View
Researchers create bone-inspired 3D-printed building materials

Researchers create bone-inspired 3D-printed building materials

View
'Death Stranding' update will fix tiny, hard-to-read text

'Death Stranding' update will fix tiny, hard-to-read text

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr