EEVblog Electronics Community Forum

Computing => Security => Topic started by: BU508A on January 27, 2021, 03:25:05 pm

Title: Buffer overflow in sudo
Post by: BU508A on January 27, 2021, 03:25:05 pm
There is a buffer overflow in sudo. I recommend to update it to the newest version.

https://www.sudo.ws/alerts/unescape_overflow.html (https://www.sudo.ws/alerts/unescape_overflow.html)
Title: Re: Buffer overflow in sudo
Post by: Ed.Kloonk on February 01, 2021, 08:01:48 am
There is a buffer overflow in sudo. I recommend to update it to the newest version.

https://www.sudo.ws/alerts/unescape_overflow.html (https://www.sudo.ws/alerts/unescape_overflow.html)

Or 'do' yourself a favor and run doas instead.

doas gives you root access without all the bloat that is in sudo that has features only for permission maniacs.

Title: Re: Buffer overflow in sudo
Post by: Halcyon on February 04, 2021, 01:36:38 am
Why bother changing to a whole new way of doing things when the problem has been fixed?
Title: Re: Buffer overflow in sudo
Post by: Ed.Kloonk on February 04, 2021, 02:41:22 am
Why bother changing to a whole new way of doing things when the problem has been fixed?

Most people just want to elevate to root. Both progs can do it but doas doesn't contain all the bloat that sudo does.

Title: Re: Buffer overflow in sudo
Post by: Nominal Animal on February 04, 2021, 01:29:10 pm
Why bother changing to a whole new way of doing things when the problem has been fixed?
Most people just want to elevate to root. Both progs can do it but doas doesn't contain all the bloat that sudo does.
It's good for there to be more than one way, and doas (https://flak.tedunangst.com/post/doas) has been designed to do almost all that sudo does.  "Just elevate to root" is how many end users use it, but its true purpose is to switch between differently-privileged user accounts.

Unfortunately, it hasn't been packaged for Debian or Debian derivatives yet, and actually needs a bit of work to work with Linux PAM.  Fortunately, OpenDoas (https://github.com/nholstein/OpenDoas) seems to be progressing nicely, although I haven't pored through the code myself.

(I've done quite a bit of work wrt. privilege separation via sudo, filesystem capabilities in Linux, and Apache SuEXEC mechanism.  They are rather large hammers for things that often could be done better (more securely and robustly) via other ways...  Just don't get me started on the assumptions of the Apache SuEXEC mechanism and how it propagates a nonsensical view of proper privilege separation for web services.)