Networking

Unix and Linux network configuration. Multiple network interfaces. Bridged NICs. High-availability network configurations.

Applications

Reviews of latest Unix and Linux software. Helpful tips for application support admins. Automating application support.

Data

Disk partitioning, filesystems, directories, and files. Volume management, logical volumes, HA filesystems. Backups and disaster recovery.

Monitoring

Distributed server monitoring. Server performance and capacity planning. Monitoring applications, network status and user activity.

Commands & Shells

Cool Unix shell commands and options. Command-line tools and application. Things every Unix sysadmin needs to know.

Home » Security

Fixing Sudo

Submitted by on January 28, 2021 – 11:53 am

A decade-old massive and easy-to-exploit security hole (CVE-2021-3156) has been found in sudo allowing for full root access by any unprivileged system user. This is one of those rare security bugs you can’t delay remediating.

Patches have been released for most major current distros. Unfortunately, I still have some CentOS 6 servers that, following the surprise CentOS EOL announcement in December, I repointed to vault.centos.org for patches. Unfortunately, the needed sudo is not available at the moment.

However, the solution isn’t complicated: just uninstall sudo and install the precompiled binary from sudo.ws. Here’s what I did:

To confirm that the current sudo version is impacted, run the command below. If the error message starts with sudoedit: then, you have a problem.

sudoedit -s /
# > sudoedit: /: not a regular file

Go to the developer’s site and download the appropriate compiled version for your distro. The version needs to be 1.9.5p2 (1.9.5-3). For CentOS 6, I got this one.

I suggest you now log into your system as root directly (use console if you must), uninstall your current version of sudo and install the one you just downloaded. In my case:

yum -y erase sudo
yum -y install sudo-1.9.5-3.el8.x86_64.rpm

Now re-run the sudoedit command, and you should see the error message starting with usage:. If that is the case – mission accomplished.

sudoedit -s /
# > usage: sudoedit [-AknS] [-r role] [-t type] [-C num] [-D directory] [-g group] [-h host] [-p prompt] [-R directory] [-T timeout] [-u user] file ...

 

Print Friendly, PDF & Email

Leave a Reply