News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Linux sudo flaw

    Home Forums AskWoody blog Linux sudo flaw

    • This topic has 37 replies, 10 voices, and was last updated 1 month ago.
    Viewing 13 reply threads
    • Author
      Posts
      • #2338250
        Susan Bradley
        Manager

        Over there on the “other” platform, Linux also needs to be updated this week. As bleepingcomputer notes, A now-fixed Sudo vulnerability allowed any lo
        [See the full post at: Linux sudo flaw]

        Susan Bradley Patch Lady

      • #2338293
        Ascaris
        AskWoody_MVP

        Already fixed on Ubuntu and derivatives. The update is dated January 19, 2021, though I don’t know if that means it was packaged and released that day. It was already installed when I first saw the news and checked.

        Group "L" (KDE Neon Linux 5.21.1 User Edition)

        1 user thanked author for this post.
        • #2338379
          Microfix
          AskWoody MVP

          @Ascaris that ties in with the CVE-2021-3156 record, given the time to notify and rectify the issue by developers of each distro.
          CVE

          Attachments:
          • #2338481
            Ascaris
            AskWoody_MVP

            That’s for the CVE date, but the date I was referring to was the Ubuntu sudo update date. I am not sure if there is a gap between the date listed in the changelog and the date it was actually rolled out to end users.

            Group "L" (KDE Neon Linux 5.21.1 User Edition)

            • #2341892
              rc primak
              AskWoody_MVP

              A little delay is normal for Ubuntu. Fedora updates are more swiftly rolled out to end users.

              -- rc primak

        • #2341889
          rc primak
          AskWoody_MVP

          Already fixed on Ubuntu and derivatives.

          Fedora as well.

          -- rc primak

          • This reply was modified 2 weeks, 6 days ago by rc primak.
      • #2338358
        Still Anonymous
        AskWoody Lounger

        This is an instructive caution about open source projects.  Just because the source code can be viewed, doesn’t necessarily mean that it is being reviewed.

        On the other hand, once a flaw of this type is discovered, it’s something that can be fixed, and updates distributed relatively quickly. And for most major Linux distros, updates will show up in the various repositories, where they can quickly/easily be installed by normal package management processes.

        Quite a bit of contrast from Microsoft, often having to wait until the next Patch Tuesday (and risk of problems with other updates being bundled), or Apple’s no-communication approach of simply releasing an update package when they decide they’re ready. Or for that matter, most Windows packages where there’s a variety of update mechanisms ranging from silent/automatic update to Help -> Check for Updates to the need to visit a developer’s website to manually download and install.

        1 user thanked author for this post.
        • #2341893
          rc primak
          AskWoody_MVP

          Add to that Google’s own Android version of Linux, which often never gets updated on older devices.

          -- rc primak

          • This reply was modified 2 weeks, 6 days ago by rc primak.
      • #2338361
        anonymous
        Guest

        ? says:

        thank you for the notice, Susan.

        Commit Log for Tue Jan 26 15:00:08 2021
        Upgraded the following packages:
        sudo (1.8.31-1ubuntu1) to 1.8.31-1ubuntu1.2

        and does windows have “kernel updates?”

        Commit Log for Thu Jan 14 19:30:59 2021
        Upgraded the following packages:
        linux-generic-hwe-20.04 (5.8.0.36.40~20.04.21) to 5.8.0.38.43~20.04.23
        linux-headers-generic-hwe-20.04 (5.8.0.36.40~20.04.21) to 5.8.0.38.43~20.04.23
        linux-image-generic-hwe-20.04 (5.8.0.36.40~20.04.21) to 5.8.0.38.43~20.04.23

        Installed the following packages:
        linux-headers-5.8.0-38-generic (5.8.0-38.43~20.04.1)
        linux-hwe-5.8-headers-5.8.0-38 (5.8.0-38.43~20.04.1)
        linux-image-5.8.0-38-generic (5.8.0-38.43~20.04.1)
        linux-modules-5.8.0-38-generic (5.8.0-38.43~20.04.1)
        linux-modules-extra-5.8.0-38-generic (5.8.0-38.43~20.04.1)

        thank you!

      • #2338387
        Fred
        AskWoody Plus

        This is an instructive caution about open source projects. Just because the source code can be viewed, doesn’t necessarily mean that it is being reviewed.

        just a “little” hole for about 10 years,
        https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt

        ~ ~ ~
        1 user thanked author for this post.
      • #2338398
        Charlie
        AskWoody Plus

        I am the only “local user” on my Linux computer which stays in my home all the time.  Do I need to worry about this?  I use sudo once in awhile and it works just fine; will this update affect my ability to use sudo as I have in the past?

        1 user thanked author for this post.
        • #2338431
          mn–
          AskWoody Lounger

          The issue is only relevant to cases where there’s another user who is not supposed to be able to gain admin credentials.

          Unfortunately any number of things callable from the network can qualify for that if they can be made to call sudo with arbitrary command line arguments.

          And after the fix, sudo will work more correctly, though this only affects cases where you had things like file, directory or device names ending in a \ character that you’d use in sudo commands. (Remember, it’s not a path separator in Unix/Linux…)

          5 users thanked author for this post.
          • #2338435
            Charlie
            AskWoody Plus

            So is this fix really necessary for cases like mine where I’m the only one using or even knows how to use sudo?  I’m just concerned about installing any update that I don’t need, and having it mess up something that currently works just fine.

            2 users thanked author for this post.
            • #2338440
              mn–
              AskWoody Lounger

              By the principle of defense in depth, you do want this fix.

              Because if someone manages to be able to run shell commands as you some other way, say from a browser or email fault, they can get root credentials with this.

              And also, if you manage to end up with… say, file names… ending in the \ character (it’s allowed in file names just fine in Unix/Linux), running without the fix is somewhat unsafe even in full isolation.

              5 users thanked author for this post.
      • #2338399
        anonymous
        Guest

        My Ubuntu 20.04 kernel was also upgraded yesterday.  Usually it is upgraded every two weeks, but this time it was one week.

        • #2341897
          rc primak
          AskWoody_MVP

          This was a normal Update (Software Update) not necessarily needing a kernel update.

          -- rc primak

      • #2338433
        mn–
        AskWoody Lounger

        Oh and this is really not limited to Linux.

        While I haven’t seen any attempts at reproducing this on other operating systems, it’s not unlikely that sudo is affected across all of them.

        Sudo runs on all the BSDs I believe, and MacOS, AIX, HP-UX (both hppa and Itanium), Solaris (i386, x86-64 and Sparc), … and a bunch of other things. Wouldn’t be surprised to find it on Juniper routers for example (JunOS looks very BSD-like), or any number of embedded or integrated systems – VxWorks is POSIX enough that having a sudo on the NASA Mars rovers is not at all impossible.

        1 user thanked author for this post.
      • #2338447
        OscarCP
        AskWoody Plus

        How does  this work, given that “sudo”, by default, requires that the user enters the login password before being enabled to issue a line command with super user status?

        https://superuser.com/questions/67765/sudo-with-password-in-one-command-line

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

        1 user thanked author for this post.
        • #2338451
          mn–
          AskWoody Lounger

          It works because sudo itself needs to run at elevated privileges to be able to grant privileges.

          1 user thanked author for this post.
          • #2338452
            OscarCP
            AskWoody Plus

            mn- Without the user password?

            Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

            • #2338457
              mn–
              AskWoody Lounger

              Actually, password checking may not need elevated privileges. Didn’t on older systems, back before “shadow” passwords… and in low-security environments you might still find such configurations. Inadvisable unless you really can’t help it, but…

              And… you know how sudo typically allows you to run a *second* command at elevated privileges without entering the password a second time if you’re quick enough? Yeah, that. It doesn’t stay in memory or anything, it just saves a marker in a file and checks that for time and session differences – and if those are good enough it elevates your privileges without asking for your password.

              Yes, this means that if you know where that file goes and have the privileges to write there, you can bypass the password prompt. (Then again in that case you already seem to have pretty much all the privileges, so…)

              1 user thanked author for this post.
      • #2338455
        anonymous
        Guest

        ? says:

        needs “root,” or elevated permission to run hence password required. my live distro doesn’t need evevated permission. you can go to your filesystem and search for “sudo,” then look at the file permission(s) to verify, or run ls -l in the terminal, see:

        Linux File Permission Tutorial: How to Check and Change Permissions

        1 user thanked author for this post.
      • #2338471
        OscarCP
        AskWoody Plus

        Well, from mn- and ? answers I gather that this might be a problem (so bad that nobody noticed it for nine years?) when: (1) there are multiple users in the same computer (and the bug in question might have a chance to make trouble) and, or (2) the distro of the Linux one is using is either very old, or the same one that ? uses and, or (3) one is exceptionally self-assured (always a problem) and, or (4) too laid-back between using “sudo” and doing something else … Then one might, just might, get into some kind of trouble. Or am I still missing (5) here?

        In any case, I am starting to feel definitely better about this. And it is going to get patched anyway, if it hasn’t been already.

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)

        1 user thanked author for this post.
        • #2338477
          anonymous
          Guest

          Do all you can to do for making sure your computers are updated, even Apple might have released an update for this. Since Mint is derived from Ubuntu you should have already been offered the patched sudo. Hey let some people you know this one is important. 🙂

          2 users thanked author for this post.
      • #2338819
        Charlie
        AskWoody Plus

        Updated my Linux Mint laptop last night along with Firefox and a couple other updates.  Everything is working well.

        3 users thanked author for this post.
        • #2338870
          DrBonzo
          AskWoody Plus

          I updated 3 Mint 19.2 Cinnamon computers last night with FF 85, the 4.15.0-135 kernel, and the topic of this thread, the sudo patch. No issues.

          Also did the same on an Ubuntu 18.04 LTS except that for some reason FF 85 didn’t come through the Updater. No issues.

          1 user thanked author for this post.
          • #2339018
            Charlie
            AskWoody Plus

            It seems there has been a lot more Kernel updates in the past year.  I stopped at the 4.15.0-123 update because it had and has kept the lowest amount of Bugs (one).  I’ve checked and seen where newer Kernel updates have caused the finger pad and/or mouse to stop working, among other problems.

            Are the Kernel updates that necessary and important?

            Linux Mint Cinnamon 19.1

            1 user thanked author for this post.
            • #2339038
              anonymous
              Guest

              ? says:

              Charlie, for security. i use synaptic and set the repositories to “security only.” if you update through the terminal you can get security patches using:

              apt-get -s dist-upgrade | grep “^Inst” | grep -i securi | awk -F ” ” {‘print $2’} | xargs sudo apt-get install

              from the last comment in: “To update or not to update”
              https://forums.linuxmint.com/viewtopic.php?f=47&t=300959&sid=85aba05e21be86f1d06fdae3db7a7d12&start=20

              1 user thanked author for this post.
              • #2339070
                Charlie
                AskWoody Plus

                Okay, but the Kernel updates I’m getting are coming through the Update Manager.  Are you referring to the Synaptic Package Manager?

              • #2339096
                anonymous
                Guest

                ? says:

                yes, the last kernel came through the synaptic package manager on the 27th (for ubuntu 16.04):

                Commit Log for Wed Jan 27 07:38:36 2021
                Upgraded the following packages:
                linux-generic (4.4.0.200.206) to 4.4.0.201.207
                linux-headers-generic (4.4.0.200.206) to 4.4.0.201.207
                linux-image-generic (4.4.0.200.206) to 4.4.0.201.207
                linux-libc-dev (4.4.0-200.232) to 4.4.0-201.233

                which is a security patch:

                https://packages.ubuntu.com/xenial/linux-image-generic

                (has “security,” at the tail end…

                 

                1 user thanked author for this post.
            • #2341899
              rc primak
              AskWoody_MVP

              As often as not, kernel updates fix driver and feature issues. They may contain security changes, but these changes also usually get offered for existing kernels. You do not need to run the latest Linux kernel for your distro if all your Software Updates are up t o date.

              In fact, running a too-recent (upstream) kernel can break things. That’s why there are fall-backs like Recovery Mode (Linux Safe Mode) and the OEM kernel in the Grub Menu. I have had an SD Card Reader which Fedora’s upstream kernels have broken from time to time. This is on a Chromebook. But other more mundane configurations can also break.

              -- rc primak

              1 user thanked author for this post.
              • #2341910
                mn–
                AskWoody Lounger

                but these changes also usually get offered for existing kernels.

                … and this is exactly what was discussed above – security patches for the 4.4, 4.15, and such kernels.

                Upstream mainline is somewhere around 5.10 (released and umpteen patches on top of that already) / 5.11 (release candidates).

                1 user thanked author for this post.
              • #2341911
                Ascaris
                AskWoody_MVP

                Fedora is quite a bit different than the Ubuntu derivatives that most people use. Fedora will quite happily upgrade you to the latest kernel that has been released and remove the old ones, since it is only set to keep two previous versions. These new versions may well outpace any software you have that isn’t part of the Fedora distribution, as I found out when I was using Fedora (before I found the fix for KDE Connect, which KDE and Ubuntu had as yet not decided to fix). Fedora is known for its near bleeding edge update status.

                Ubuntu is a lot more conservative, especially with the LTS versions (which many derivative distros, like Mint, use as their base). If you’re using a LTS kernel, like 4.15 or 5.4, it won’t automatically upgrade to a new kernel until the old one stops receiving updates, which won’t happen until 5 years have passed since the first release.

                The releases within any one kernel version are bug fixes and backported security fixes, and it is usually a good idea to install them. Rarely, there is an issue with one of them that will make you want to go back, and it’s easy to do, as Ubuntu (and related) won’t delete the old ones by default as Fedora will. They’ll all still be there if you want them. All you have to do is choose the one you want at the GRUB menu (which will appear by default if you have more than one OS installed). You can then uninstall the old one and put a hold on further kernel updates if you wish.

                If you want a newer kernel version, you can move to the HWE or HWE-Edge stacks, which are also used by newer releases of Ubuntu LTS versions and their descendants (for example, Ubuntu 20.04.2 uses the HWE stack, providing the 5.8 kernel rather than the 5.4 LTS kernel that came with the original 20.04).

                The non-LTS kernel releases are supported for a shorter time than the| LTS kernel and will (if you have the HWE stack metapackage installed) automatically roll over to the next supported version only when Ubuntu stops support for the old one. At some point, Ubuntu will stop updating 5.8, and at that time the HWE stack will roll over to whatever the next HWE kernel is at that point (which will be the kernel version they decide to use for whatever the next Ubuntu release is at that point in time).  It won’t happen for every point release version as with Fedora, and is much slower in pace.

                Kernel releases may sound scary, but they’re actually easier to revert than pretty much anything else if you don’t find the new one to be to your liking. You can, if you want, keep multiple kernels installed and boot to the one that suits what you are doing. I usually use 5.8 these days, but Veeam does not work with it, so I boot to 5.4 to use that.

                 

                Group "L" (KDE Neon Linux 5.21.1 User Edition)

                2 users thanked author for this post.
              • #2343802
                rc primak
                AskWoody_MVP

                We don’t usually talk about it, but a lot of Windows Cumulative Updates contain kernel updates.

                -- rc primak

      • #2342148
        anonymous
        Guest

        ? says:

        i’m glad the sudo hole was repaired! just received another kernel patch through synaptic package manager for ubuntu:

        Commit Log for Tue Feb  9 04:54:34 2021
        nstalled the following packages:
        linux-headers-5.8.0-43-generic (5.8.0-43.49~20.04.1)
        linux-hwe-5.8-headers-5.8.0-43 (5.8.0-43.49~20.04.1)
        linux-image-5.8.0-43-generic (5.8.0-43.49~20.04.1)
        linux-modules-5.8.0-43-generic (5.8.0-43.49~20.04.1)
        linux-modules-extra-5.8.0-43-generic (5.8.0-43.49~20.04.1)

        and have the original 20.04 release kernel 5.4 onboard as well…

         

        2 users thanked author for this post.
        • #2343803
          rc primak
          AskWoody_MVP

          Yep, those are the ones I got too. Autoremove will take out the less secure older kernels. If not, the process gets tedious, but Ubuntu Cleaner (Janitor) is one tool which makes Ubuntu kernel cleanups easier. Or you can bang out the whole process with the Synaptic Package Manager.

          -- rc primak

      • #2343844
        anonymous
        Guest

        ? says:

        thank you for your reply, rc. i usually keep the original kernel that ships with a ubuntu lts iso as a fall back because i’ve had updated kernels refuse to boot. please pardon my facetiousness concerning windows kernels having updates…

    Viewing 13 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: Linux sudo flaw

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.