4

How can we disable sudo on CentOS 6 to prevent CVE-2021-3156?

We cannot remove RPMs or similar.

We can only change a configuration.

Do we have another fix for CVE-2021-3156 on CentOS 6, except disabling sudo?

Will we be able to execute su - after disabling sudo?

Peter Mortensen
  • 877
  • 5
  • 10
Michael
  • 1,457
  • 1
  • 18
  • 36
  • 4
    CentOS stopped providing maintenance updates for CentOS 6 by November 30th, 2020. You also need to know, that the CentOS project provides updates ONLY for the latest version of each major branch (that is 6.10 for CentOS 6) thus you are certainly vulnerable to other CVE's. You need to plan for an upgrade to CentOS 7, and that means installing a new CentOS 7 server and migrating all you data, services from CentOS 6 (no there's no in-place upgrade, at least it is not supported by the CentOS project --> to many drastic changes, e.g. replacement of initd by systemd etc.). – cyzczy Jan 28 '21 at 10:46
  • 1
    An updated package is available which resolves the issue for Scientific Linux / CentOS / Other EL 6, code below to download/install/check. wget https://yum.oracle.com/repo/OracleLinux/OL6/latest/x86_64/getPackage/sudo-1.8.6p3-29.0.2.el6_10.3.x86_64.rpm rpm -Uvh sudo-1.8.6p3-29.0.2.el6_10.3.x86_64.rpm rpm -q --changelog sudo | grep CVE-2021-3156 – Darryl Feb 01 '21 at 17:19

3 Answers3

6

How to disable sudo on CentOS 6 to prevent CVE-2021-3156?

chmod 0644 /usr/bin/sudo will effectively disable sudo for non-root users. It removes the setguid bit, so sudo will work as epxected for scripts executed by root, but not for other users.

Do we have other fix for CVE-2021-3156 on CentOS 6 except disabling sudo?

Upgrade to a supported release. If you run CentOS 6 with untrusted local users, it's probably just a matter of time before a new local privilege escalation surfaces.

Will we be able to execute su - after disabling sudo?

Yes.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
  • 4
    What I could also possibly suggest, is the if you need non-root users to run `sudo` you could create a group let's call it 'need_sudo` and change the group ownership on the `sudo` binary to that group, e.g. `chmod : neen_sudo /usr/bin/sudo`. You would chmod 750 on `sudo` + make sure that the setuid bit is set, e.g. `chmod u+s /usr/bin/sudo`. In such way only root and members of that given group could use `sudo` while users beloning to `others` would not be able to execute it all. – cyzczy Jan 28 '21 at 16:58
0

An alternate to disabling sudo completely could be as cyzczy suggested removing execute for "other" users, the commands cyzczy suggested didn't work as is so I've come up with the below:

chown root:wheel /usr/bin/sudo
chmod 4110 /usr/bin/sudo

The chown command changes the group of sudo to wheel, and the chmod command removes execute for "other" users but retains setuid and execute for owner and group, the result is root and users in the wheel group can use sudo, other users get permission denied.

[user@centos6_test ~]$ sudo sh -c 'chown root:wheel /usr/bin/sudo && chmod 4110 /usr/bin/sudo'
[user@centos6_test ~]$ sudo su - test_user
[test_user@centos6_test ~]$ sudoedit -s \\
-bash: /usr/bin/sudoedit: Permission denied

Warning, run these command as root and test in another session, and be sure you know the root password so you can us "su -" incase you break sudo.

Martin
  • 1
  • 1
0

To fix it you need to go to the sudo site and download RPM for Centos 6 and then install it on your system:

https://www.sudo.ws/download.html

rumburak
  • 131
  • 2