Muva nje u-se uthole ubungozi eSudo, ukuthi ikuvumela ukuthi weqe inqubomgomo yokuphepha ekusatshalalisweni okususelwe ku-Linux ingavumela umsebenzisi ukuthi asebenzise imiyalo njengomsebenzisi wezimpande, noma ngabe lokho kufinyelela kwezimpande bekungavunyelwe ngokuqondile. Leli phutha elibucayi latholwa nguJoe Vennix we-Apple Information Security.
Lokhu kuba sengozini sekuvele kulungisiwe futhi isichibi sivimbela imiphumela ebucayi ngaphakathi kwezinhlelo zeLinux. Noma kunjalo, Ukuba sengozini kukaSudo kwaba yingozi kuphela engxenyeni encane Abasebenzisi beLinux, ngokusho kukaTodd Miller, unjiniyela wesoftware nonjiniyela omkhulu kwaQuest Software kanye nomlondolozi wephrojekthi yomthombo ovulekile "Sudo."
«Iningi lezilungiselelo ze-Sudo azithinteki yi-bug. Abasebenzisi basekhaya abangewona amabhizinisi cishe ngeke bathinteke nakancane »
Ngokuzenzakalelayo ekusabalalisweni okuningi kweLinux, igama LONKE elingukhiye kusincazelo se-RunAs kufayela le- / etc / sudoers livumela abasebenzisi bamaqembu we-admin noma ama-sudo ukuthi basebenzise noma imuphi umyalo ohlelweni.
Nokho, ngoba ukwahlukaniswa kwamalungelo ingenye yezindlela zokuphepha eziyisisekelo ku-Linux, abaphathi bangalungiselela ifayela le-sudoers ukuze bachaze kahle ukuthi ngubani ovunyelwe ukwenza ini (sebenzisa umyalo othize).
Ukuba sengozini okusha I-CVE-2019-14287. Nikeza umsebenzisi onelungelo noma uhlelo olunonya kwanele ikhono lokwenza izenzo noma ukwenza ikhodi engenasisekelo njengezimpande (noma i-superuser) kusistimu eqondiwe, lapho i- "sudoers configuration" ingakuvumeli lokhu kufinyelela.
Umhlaseli angasebenzisa lobu bungozi ngokuthi acacise i-ID "-1" noma "429496967295" ngoba umsebenzi obhekene nokuguqula i-ID iye kwigama lomsebenzisi iphatha la manani amabili ngokunembile njenge- '0', ehambelana ne-ID 'yomsebenzisi omkhulu'.
Ake sithi umise umsebenzisi ongu- "X" njenge-sudoer kuseva ye-mybox ukwenza umyalo njenganoma yimuphi omunye umsebenzisi, ngaphandle kwempande: »X mybox = (ALL ,! Root) / usr / bin / command".
Ungamethemba u-X ukuqapha amafayela nemisebenzi yabanye abasebenzisi, kepha abanakho ukufinyelela kwe-superuser.
Lokhu kufanele kuvumele umsebenzisi u- "X" ukuthi enze umyalo njenganoma ngubani ngaphandle kwezimpande. Kodwa-ke, uma i-X isebenzisa i- "sudo -u # -1 id -u" noma "-u # 429496967295 id -u", ungadlula umkhawulo bese usebenzisa umyalo owukhethile njengempande ye-X.
Futhi, njengoba i-ID eshiwo nge-- u inketho ingekho ku-database ye-password, awekho amamojula we-X weseshini azosebenza.
Lokhu kuba sengozini kuthinta kuphela ukumiswa kwesudo okunohlu lwabasebenzisi "Runes", kufaka phakathi ngaphandle kwezimpande. Impande ingakhonjwa nangezinye izindlela: ngegama layo i-ID ene- "user ALL = (ALL ,! # 0) / usr / bin / command", noma ngokubhekisa ku-alias Runas.
Ngakho-ke, esimweni esithile lapho uvunyelwe ukwenza umyaloNjenganoma yimuphi omunye umsebenzisi ngaphandle kwempande, ukuba sengozini kusengakuvumela ukuthi weqe le nqubomgomo yezokuphepha futhi ulawule ngokugcwele uhlelo njengezimpande.
Ukuba sengozini kuthinta zonke izinhlobo zeSudo ngaphambi kwenguqulo yakamuva ye-1.8.28 esanda kukhishwa futhi izokhishwa njengesibuyekezo sokusatshalaliswa okuhlukahlukene kwe-Linux kungekudala.
Njengoba ukuhlasela kusebenza ecaleni elithile lokusebenzisa lefayela lokumiswa kwesudoers, akufanele kuthinte inani elikhulu labasebenzisi.
Nokho, Kubo bonke abasebenzisi beLinux, kunconywa ukuthi babuyekeze iphakethe le-sudo enguqulweni yakamuva ngokushesha okukhulu.
Kusukela abathuthukisi bakhipha isichibi seSudo ezinsukwini ezimbalwa ezedlule. Kodwa-ke, ngoba kufanele ifakelwe ukusatshalaliswa ngakunye kweLinux futhi isatshalaliswe kuwo wonke amakhulu emiphakathi yeLinux egcina izinhlelo zokusebenza zeLinux, leli phakheji lingathatha izinsuku ezimbalwa ubude ukunikezwa okuthile.
Uma ufuna ukwazi kabanzi ngayo ungabonisana isixhumanisi esilandelayo.