IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [sudo]

`sudo` is a command that allows a user to use commands with the privileges of another user, usually the root user.

sudo is a command that allows a user to use commands with the privileges of another user, usually the root user.

The difference with su is that su allows a user to become another user, and remain that user until they log out. sudo, by contrast, allows a user to execute one commend with another users privileges.

To use sudo, a user needs to enter their password, to once again verify that they are who they claim to be. Note that it is the user's own password, not the root password, that is required to use sudo.

On some systems, like Ubuntu, the root user is disabled by default, to prevent people from gaining root access by guessing the password. A user with the appropriate sudo privileges can then perform commands with root privileges by prefixing their command with sudo.

78 questions
7
votes
2 answers

Do sudo and .profile/.bashrc enable trivial privilege escalation?

First of all, let me mention that I’m assuming a configuration as set up by current Linux desktop distributions (e. g. Debian, Fedora). I’m sure that there are methods which, if implemented, would mitigate the issues described here. What I’m…
Socob
  • 215
  • 1
  • 5
7
votes
1 answer

Is an asterisk in sudo command specifications safe?

This suggests that to restrict a user to a specific command with sudo a line like %web ALL=(ALL) /usr/bin/service apache2 * can be used. This particular line would restrict the user to running the mentioned program /usr/bin/service with the…
Elias
  • 1,915
  • 1
  • 9
  • 17
6
votes
3 answers

What are the risks of making ether-wake available to all users?

The Linux ether-wake utility, which creates a magic packet to wake on lan another machine, requires root access: $ether-wake 12:34:56:78:9A:BC ether-wake: This program must be run as root. To give access to an arbitrary user would require either…
Mark Booth
  • 284
  • 4
  • 15
5
votes
2 answers

What are the security risks in leaving 'sudo' inside my production code?

I have a script that can only run successfully with root permissions But in development it's really hard to run with root permissions (in my development environment) so I add 'sudo' when ever it's required inside the code and remove it before I push…
Ezra
  • 207
  • 1
  • 4
5
votes
1 answer

Is explicitly disabling a default in the sudoers file the same as not listing it at all?

I'm reviewing the /etc/sudoers file on a machine in response to CVE-2019-18634, a buffer-overflow vulnerability present in sudo. The bulletin on the sudo.ws website recommends the following mitigation: If the sudoers file has pwfeedback enabled,…
Joshua Murphy
  • 146
  • 16
5
votes
1 answer

Is it safe to use a unix pipe to redirect sensitive output data as input to another program?

I want to make a Node.js development server use HTTPS by giving it access to the contents of a TLS certificate and private key file. On the one hand, I don't like the idea of making the TLS private key file readable by anyone other than root. On the…
Will
  • 188
  • 7
5
votes
5 answers

Unix Privilege Escalation: "sudo must be owned by uid 0 and have the setuid bit set"

It seems protections are harcoded into sudo that prevent the binary from executing as a low-privileged user. Running it in Ubuntu as a normal user returns the following error: "sudo must be owned by uid 0 and have the setuid bit set" Maybe this is…
user188691
  • 51
  • 1
4
votes
3 answers

How can we disable sudo on CentOS 6 to prevent CVE-2021-3156?

How can we disable sudo on CentOS 6 to prevent CVE-2021-3156? We cannot remove RPMs or similar. We can only change a configuration. Do we have another fix for CVE-2021-3156 on CentOS 6, except disabling sudo? Will we be able to execute su - after…
Michael
  • 1,457
  • 1
  • 18
  • 36
4
votes
1 answer

How can a bad process obtain root by waiting for a user to run a command as sudo?

A comment on this answer states: The whole linux desktop provides very little protection against bad processes running as the user. A bad process could just watch the keyboard input and wait for the user to run a command as sudo. The bad process…
Primusa
  • 143
  • 4
4
votes
1 answer

How to properly protect /home with separate user accounts on Linux

A great quote from this InfoSec stackExchange thread. The way to prevent malicious code from damaging files in your home directory is to not run it using your account. Create a separate_user that doesn't have any special permissions and run…
stackinator
  • 141
  • 2
4
votes
1 answer

Security implications of using SETCAP CAP_NET_RAW

In order to get around the 'problem' of applications requiring root privileges to run, I'm using: sudo setcap CAP_NET_ADMIN+ep "$(readlink -f /usr/sbin/app)" sudo setcap CAP_NET_RAW+ep "$(readlink -f /usr/sbin/app)" to be able to use the required…
Crizly
  • 2,597
  • 4
  • 18
  • 29
3
votes
2 answers

Do `sudo` and `su` belong to capability-based security?

In Linux, do sudo and su belong to Capability-based security ? For example, when editing a system file, we usually need sudo or su to temporarily switch to user root. Does this example belong to capability-based security, or to protection rings?…
Tim
  • 617
  • 2
  • 7
  • 16
3
votes
2 answers

Which Linux commands can execute user-supplied code?

As explained here (https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/), the tar command can be used to execute arbitrary code. Is there a list of Linux commands, preferably including commands in packages in the official…
Arcanum
  • 159
  • 3
3
votes
1 answer

Sudo debug function vulneability

I am quite stuck with an assignment question, exploiting vulnerability (vfprintf) in sudo_debug function with ASLR (CVE: 2012-0809). I can only use string format exploits. ONLY ASLR IS ENABLED < NO FORTIFY_SOURCE I must overwrite the value of…
fida
  • 39
  • 1
2
votes
1 answer

How to reduce the risk of sudo vim -Z (sudo rvim)

(I asked the same question on https://superuser.com/ One person recommended me to use this website instead of super user. I hope this question is quite apporopriate here and I can get more detailed information.) I learned about the way to prevent…
aob
  • 123
  • 4
1
2
3 4 5 6