I'm reviewing the /etc/sudoers
file on a machine in response to CVE-2019-18634, a buffer-overflow vulnerability present in sudo
. The bulletin on the sudo.ws website recommends the following mitigation:
If the sudoers file has
pwfeedback
enabled, disabling it by pre-pending an exclamation point is sufficient to prevent exploitation of the bug. For example, change:
Defaults pwfeedback
To:
Defaults !pwfeedback
However, upon reviewing the sudoers file, the configuration I see is what I presume is an implicit deny, where there is no mention at all of pwfeedback
, which has sparked my curiosity.
What I've tried so far:
I have tested the behavior of sudo
when pwfeedback
is explicitly denied by adding Defaults !pwfeedback
to the sudoers file as per the recommended mitigation, as well as when there is nothing added. As I would expect, there is no difference in behaviour. This appears to confirm my belief that (in this instance) anything not explicitly allowed is treated as implicitly denied.
My question:
Both solutions appear to solve the issue, removing Defaults pwfeedback
from the sudoers file should work by itself, I think.
Is explicitly disabling a default in the sudoers file the same as not listing it at all?