ProHoster > Blog > internet nhau > Kusagadzikana mune sudo iyo inobvumira ropafadzo kukwira kana uchishandisa yakatarwa mitemo

Kusagadzikana mune sudo iyo inobvumira ropafadzo kukwira kana uchishandisa yakatarwa mitemo

Mukushandisa Sudo, inoshandiswa kuronga kuitiswa kwemirairo pachinzvimbo chevamwe vashandisi, kuzivikanwa vulnerability (CVE-2019-14287), iyo inokutendera kuti uite mirairo ine midzi kodzero, kana paine mitemo mune sudoers marongero umo mune yevashandisi ID cheki chikamu mushure mekubvumira kiyi kiyi "ZVESE" pane kurambidzwa kwakajeka kwekumhanya nemidzi kodzero ("... (ZVESE, !mudzi) ..." ). Kusagadzikana hakuoneki mumagadzirirwo ekutanga mukugovera.

Kana sudoers ine inoshanda, asi yakanyanya kushomeka mukuita, mitemo inobvumira kuitwa kweimwe murairo pasi peUID yechero mushandisi kunze kwemudzi, anorwisa ane mvumo yekuitisa uyu murairo anogona kunzvenga kurambidzwa kwakamiswa uye kuita murairo ne. midzi kodzero. Kuti upfuure muganhu, ingoedza kuita murairo wakataurwa muzvirongwa neUID "-1" kana "4294967295", izvo zvinozotungamira mukuitwa kwayo neUID 0.

Semuenzaniso, kana paine mutemo muzvirongwa izvo zvinopa chero mushandisi kodzero yekuita chirongwa /usr/bin/id pasi peUID chero ipi zvayo:

myhost ALL = (ZVESE, !mudzi) /usr/bin/id

kana sarudzo inobvumira kuurayiwa chete kune chaiyo mushandisi bob:

myhost bob = (ZVESE, !mudzi) /usr/bin/id

Mushandisi anogona kuita "sudo -u '#-1' id" uye iyo /usr/bin/id yekushandisa ichavhurwa semudzi, kunyangwe paine kurambidzwa kuri pachena muzvirongwa. Dambudziko rinokonzerwa nekutarisisa kukosha kwakakosha "-1" kana "4294967295", izvo zvisingatungamirire shanduko muUID, asi sezvo sudo pachayo yave kutomhanya semudzi, pasina kushandura UID, chinangwa chekuraira chiri zvakare. yakatangwa nemidzi kodzero.

MuSUSE uye kuvhuraSUSE kugovera, pasina kutsanangura "NOPASSWD" mumutemo, pane kusagadzikana. kwete kushandiswa, sezvo mune sudoers iyo "Defaults targetpw" modhi inogoneswa nekukasira, iyo inotarisa iyo UID ichipokana nepassword dhatabhesi uye inokukurudzira kuti uise password yemushandisi. Kune masisitimu akadaro, kurwiswa kunogona kuitwa chete kana paine mitemo yefomu:

myhost ALL = (ZVESE, !mudzi) NOPASSWD: /usr/bin/id

Nyaya yakagadziriswa mukusunungurwa Sudo 1.8.28. Iyo yekugadzirisa inowanikwawo mune fomu chigamba. Mumakiti ekugovera, kusagadzikana kwakatogadziriswa mukati Debian, Arch Linux, SUSE/openSUSE, Ubuntu, Gentoo ΠΈ FreeBSD. Panguva yekunyora, dambudziko rinoramba risina kugadziriswa mukati RHEL ΠΈ Fedora. Kusagadzikana kwakaonekwa nevaongorori vekuchengetedza kubva kuApple.

Source: opennet.ru

Voeg