kutshanje sUbuthathaka bufunyenwe kwi-Sudo, que ikuvumela ukuba uphephe umgaqo-nkqubo wokhuseleko kunikezelo olusekwe kwiLinux apho inokuvumela umsebenzisi ukuba aphumeze imiyalelo njengomsebenzisi weengcambu, nokuba olofikelelo lweengcambu belungavunyelwanga. Esi siphene sibaluleke kakhulu safunyanwa nguJoe Vennix we-Apple Information Security.
Obu buthathaka sele bulungisiwe kwaye isiqwenga sinqanda iziphumo ezinobuzaza ngaphakathi kwiinkqubo zeLinux. Nangona kunjalo, ukuba sesichengeni kwe-Sudo kwenza isoyikiso kuphela kwicandelo elimxinwa kubasebenzisi beLinux, ngokutsho kukaTodd Miller, umphuhlisi wesoftware kunye nenjineli ephezulu kwiQuest Software kunye nomgcini weprojekthi yomthombo ovulekileyo we "Sudo".
"Uninzi loqwalaselo lweSudo aluchatshazelwa bug. Abasebenzisi bamakhaya abangengawo amashishini abafane bachaphazeleke konke konke. "
Ngokungagqibekanga kunikezelo oluninzi lweLinux, ZONKE igama elingundoqo kwi-RunAs inkcukacha kwifayile /etc/sudoers ivumela abasebenzisi kulawulo okanye amaqela e-sudo ukuba baphumeze nawuphi na umyalelo kwinkqubo.
Nangona kunjalo, ngenxa yokwahlulwa kwamalungelo Yenye yeeparadigms zokhuseleko ezisisiseko kwiLinux, Abalawuli banokuqwalasela ifayile ye-sudoers ukuchaza kanye ukuba ngubani ovunyelwe ukwenza ntoni (yenza umyalelo othile).
Ubuthathaka obutsha I-CVE-2019-14287. Inika umsebenzisi okanye amalungelo enkqubo engalunganga konele ukukwazi ukwenza iintshukumo okanye ukwenza ikhowudi engenasizathu njengengcambu (okanye umsebenzisi omkhulu) kwindlela ekujoliswe kuyo, xa "uqwalaselo lwe-sudoers" lungaluvumeli olu fikelelo.
Umhlaseli angasebenzisa obu buthathaka ngokuchaza i-ID "-1" okanye "429496967295" kuba umsebenzi unoxanduva lokuguqula i-ID ibe yi-username iphatha la maxabiso mabini ngokuchanekileyo "0", ehambelana ne-ID ye "superuser".
Masithi uqwalasele umsebenzisi "X" njenge sudoer kwi-mybox server ukwenza umyalelo njengaye nawuphi na omnye umsebenzisi ngaphandle kwengcambu: "X mybox = (YONKE ,! ingcambu)/usr/bin/command".
Ungamthemba u-X ukubeka iliso kwiifayile zabanye abasebenzisi kunye nemisebenzi, kodwa abanalo ufikelelo lwabasebenzisi abakhulu.
Oku kunokuvumela umsebenzisi "X" ukuba aphumeze umyalelo njengaye nabani na ongenguye ingcambu. Nangona kunjalo, ukuba
Ukongeza, ekubeni isazisi esikhankanyiweyo ngo -u ukhetho alukho kwisiseko sedatha yegama lokugqitha, akukho modyuli weseshoni ye-X oza kuphunyezwa.
Olu buthathaka luchaphazela kuphela ulungelelwaniso lwe-sudo olunoluhlu lwabasebenzisi "lwe-Runas". kuquka nokukhutshwa kweengcambu. Ingcambu inokuchongwa ngezinye iindlela: ngegama layo le-ID ene-"user ALL=(BONKE ,! # 0) /usr/bin/command", okanye ngokubhekisele kwi-Runas alias.
Ngoko ke, Kwimeko ethile apho uvunyelwe ukwenza umyalelo, njengaye nawuphi na omnye umsebenzisi ngaphandle kwengcambu, ubuthathaka busenokukuvumela ukuba ugqithe le nkqubo yokhuseleko kwaye uthathe ulawulo olupheleleyo lwendlela njengengcambu.
Ukuba sesichengeni kuchaphazela zonke iinguqulelo zeSudo ngaphambi koguqulelo lwamva nje lwe-1.8.28 esandula ukukhutshwa kwaye kungekudala iza kukhutshwa njengohlaziyo lusasazo lweLinux ezahlukeneyo.
Ekubeni uhlaselo lusebenza kwimeko ethile yokusetyenziswa kwefayile yokucwangcisa i-sudoers, akufanele ichaphazele inani elikhulu labasebenzisi.
Nangona kunjalo, Kubo bonke abasebenzisi beLinux, kuyacetyiswa ukuba uhlaziye sudo ipakethe kuguqulelo lwamva nje ngokukhawuleza.
Ukusukela ukuba abaphuhlisi bakhuphe isiqwenga seSudo kwiintsuku ezimbalwa ezidlulileyo. Nangona kunjalo, kuba kufuneka ipakishwe kunikezelo lweLinux nganye kwaye isasazwe kumakhulu eLuxux abahlali abagcina iinkqubo zokusebenza zeLinux, le phakheji inokuthatha iintsuku ezimbalwa ixesha elide kunikezelo oluthile.
Ukuba ufuna ukwazi ngakumbi ngayo ungabonisana eli khonkco lilandelayo.