All Blogs Go to Heaven

sudo -u#-1 killallhumans

Published: Oct. 15, 2019, 4:31 p.m.

Edited: Oct. 15, 2019, 5:10 p.m.

EVERYONE FREAK OUT

tl;dr actually, don't worry, but maybe a little


There's a bug with sudo that could potentially cause very serious problems... but it probably won't unless your system is set up in a very particular way. In short, if you're allowed to run as any user, you can run with the user id -1 (or 4294967295) which doesn't actually exist and the system will allow you to run as root (0) instead.


Obviously, no user should be able to trick the system into letting them run as root, so this is scary... however, it only works if you are granted access to run a program in the sudoers file using the keyword ALL


In the example sudoers file entry below the user mountaindrew is allowed on host "thiscomp" to run the program at /bin/killallhumans as any user:

mountaindrew thiscomp=(ALL) /bin/killallhumans

The "ALL" in parentheses is give the sysadmin the option to determine who you may impersonate on a system. Well, this seems a lot less scary. If I'm allowed to run as any user, then I'm allowed to run as root so why would I go through the trouble of tricking the system into letting me do something I am allowed to do anyway?


In the following sudoers file entry example, everything is the same as above except user mountaindrew is not allowed to run as root.

mountaindrew thiscomp=(ALL, !root) /bin/killallhumans

So on this system that allows mountaindrew to run as any user other than root, is vulnerable to an attack where that user can attempt to run as user -1 (or 4294967295) which, not being a valid user id, will be reset to 0 which is root and run the program killallhumans as root, which despite the ominous name just searches google for images of terminator.


At the end of the day, there's not much to worry about. The vulnerability has been fixed (at least for Ubuntu, Debian, and CentOS; Arch users can just fix it themselves). Even before being fixed, it only affected an unlikely situation. However, it's still scary to find a situation where an error defaults to full control. This is the sort of thing that makes me wish I were a hunter gatherer and only needed to worry about disease, lack of food, or a slightly larger band of hunter gatherers coming by and wiping out my group completely... simpler times.


For the real details:
sudo home
Google


edit: 429496729 changed to 4294967295