0

This question relates to a comment on a question I posted at https://askubuntu.com/questions/1426688/sudo-with-a-userid-reverting-old-behaviour?noredirect=1#comment2484447_1426688

Specifically, in Ubuntu 18.04 I could run a command like "sudo -u #2000 command" where user 2000 is not in the passwd file, but that does not work on Ubuntu 20.04 or 22.04. The first comment - by a well reputed user - says that this is a security hole, but does not give any reference, and I have subsequently found the man page (which I accept could be out of date) appears to contradict this.

Is/was there a security hole that has changed the operation of sudo in this respect? (I'm aware that there was a bug related to using #-1 which was fixed (I think CVE-2019-14287), but I'm not sure if this relates to that - it does not seem to).

Relatedly, assuming that I'm issuing the command as root so I can reduce my privileges are there any security related concerns with this behaviour? (I would assume not, as I already had root to begin with), but maybe I'm missing something?

davidgo
  • 593
  • 5
  • 11
  • This seems like an XY problem. Why do you want to do this? In general, when you want to do something, that others have identified as potentially malicious, there is good reason not to do it. – The one who tests Sep 01 '22 at 01:11
  • @Theonewhotests Its not an XY problem, and I don't know that anyone has identified it as potentially malicious. The SUDO man page even explicitly envisages this behavior. I want to do this because I don't want to maintain password files on my server for users that will never to log in to the server or interact with it except through a (jailed) web instance. I want to do this because to do some maintenance, wpcli prefers - correctly - not to run as root, rather it should run as the owner of the wordpress web pages.... – davidgo Sep 01 '22 at 01:30
  • I have (hopefully temporarily) worked round this problem by creating a user, running wpcli, then removing the user. I know that I can maintain passwd files for each web server as another way to handle this. (In other words, I understand what is going on, I understand how I can work around it, so its not an XY problem). What I don't understand is why the behaviour of SUDO has changed, and thats why I am posting here. – davidgo Sep 01 '22 at 01:33
  • You are aware you can create a user, which has no password and logins disabled, right? There is no benefit to using a non-existant user. – The one who tests Sep 01 '22 at 10:10
  • @Theonewhotests I am aware of that, and that is what I am using as my workaround. We disagree that there is no benefit to using a non-existent user. Not needing to keep a password file in sync when using a NFS storage across multiple devices would be one such example - not my usage case, but similar. None of this explains why the behavior of my new Ubuntu boxes is different to my old ones. – davidgo Sep 01 '22 at 10:30

0 Answers0