sudo 出了一个比较严重 bug,此问题后果严重,但是一般来说很难触发(配置不太常见)。1.8.28 修复
如果一个 sudoers 配置了以下 Runas 权限
alice = (ALL:!root) /path/to/bin
那么他可以使用 sudo -u#1234 id -u 以 UID 1234 执行命令。
但是,syscall setresuid(2)setreuid(2) 对于UID为-1(或者4294967295)有特殊处理并且不会更改 EUID,同时 sudo 本身运行在 root 下,会造成提权漏洞。
https://www.sudo.ws/alerts/minus_1_uid.html

消息来源: https://t.me/bupt_moe/788
Sudo
Potential bypass of Runas user restrictions
When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.
This can be used by a user with sufficient sudo privileges…
 
 
Back to Top