Kwanan nan se ya gano yanayin rauni a cikin Sudo, cewa ba ka damar tsallake tsarin tsaro akan abubuwan rarraba Linux wanda hakan na iya bawa mai amfani damar gudanar da umarni azaman tushen mai amfani, ko da kuwa ba a ba da izinin wannan tushen ba. Joe Vennix na Tsaron Bayani na Apple ne ya gano wannan kuskuren.
An riga an gyara wannan yanayin rauni kuma facin yana hana mummunan sakamako cikin tsarin Linux. Koyaya, Rashin lafiyar Sudo ya zama barazana kawai ga ƙananan yanki Masu amfani da Linux, a cewar Todd Miller, mai haɓaka software da babban injiniya a Quest Software kuma mai kula da aikin buɗe tushen "Sudo."
«Yawancin saitunan Sudo kwaro bai shafa ba. Da wuya masu amfani da gida marasa kasuwanci su iya shafar komai »
Ta hanyar tsoho a kan yawancin rarraba Linux, DUK kalmar a cikin RunAs ƙayyadaddun fayil / da sauransu / sudoers yana bawa masu amfani da admin ko ƙungiyoyin sudo damar gudanar da kowane irin umarni akan tsarin.
Duk da haka, saboda rabuwar gata shine ɗayan mahimman sha'anin tsaro a cikin Linux, masu gudanarwa na iya daidaita fayil ɗin sudoers don ayyana ainihin wanda aka ba izinin yin abin (gudanar da wani umarni).
Sabuwar yanayin rauni BAKU-2019-14287. Bada gatan mai amfani ko mummunan shiri isa ikon aiwatar da ayyuka ko aiwatar da lambar sabani azaman tushe (ko superuser) a kan tsarin manufa, lokacin da "daidaitawar sudoers" ba ta ba da izinin wannan damar ba.
Wani maƙiyi na iya amfani da wannan yanayin ta hanyar tantance ID "-1" ko "429496967295" saboda aiki ke da alhakin canza ID zuwa sunan mai amfani yana kula da waɗannan ƙimomin guda biyu daidai '0', wanda yayi daidai da ID 'superuser'.
A ce ka saita mai amfani da "X" a matsayin mai ɗauka a kan sabar sabar don aiwatar da umarni kamar kowane mai amfani, banda tushen: »X mybox = (ALL ,! Root) / usr / bin / command".
Kuna iya amincewa da X don saka idanu kan fayiloli da ayyukan sauran masu amfani, amma ba su da damar superuser.
Wannan yakamata ya bawa mai amfani "X" damar aiwatar da umarni kamar kowa banda tushen sa. Koyaya, idan X ya aiwatar da "sudo -u # -1 id -u" ko "-u # 429496967295 id -u", zaku iya kewaye takurar kuma ku bi umarnin da kuka zaɓa azaman tushen X.
Hakanan, tunda ID ɗin da aka ƙayyade ta hanyar -u zaɓi bai wanzu a cikin bayanan sirrin ba, babu ƙananan matakan zaman X da zai gudana.
Wannan yanayin rauni yana shafar abubuwan daidaitawar sudo kawai wanda ke da jerin masu amfani "Runes", hada da ban da tushe. Hakanan ana iya gano tushen ta wasu hanyoyi: ta sunansa na ID tare da "mai amfani ALL = (ALL ,! # 0) / usr / bin / command", ko kuma ta hanyar ambaton sunan Runas.
Saboda haka, a cikin takamaiman yanayin da aka ba ka damar tafiyar da umarniKamar kowane mai amfani banda tushen, yanayin rauni zai iya ba ku damar tsallake wannan manufar tsaro kuma ku ɗauki cikakken iko da tsarin azaman tushe.
Rashin lafiyar ya shafi dukkan nau'ikan Sudo kafin sabuwar sigar 1.8.28 wanda aka sake shi kwanan nan kuma zai fara aiki a matsayin sabuntawa don rarraba Linux daban-daban kwanan nan.
Tunda harin yana aiki akan takamaiman abin amfani na fayil ɗin daidaita sudoers, bai kamata ya shafi yawancin masu amfani ba.
Duk da haka, ga duk masu amfani da Linux, ana ba da shawarar su sabunta kunshin sudo zuwa sabuwar siga da wuri-wuri.
Tunda masu haɓaka sun saki facin Sudo kwanaki da yawa da suka gabata. Koyaya, saboda dole ne a kunshi shi don kowane rarraba Linux kuma a rarraba shi tsakanin ɗaruruwan al'ummomin Linux waɗanda ke kula da tsarin aiki na Linux, wannan kunshin na iya ɗaukar fewan kwanaki kaɗan don wasu rarrabawa.
Idan kanaso ka kara sani game dashi zaka iya tuntuba mahada mai zuwa.