ProHoster > Π‘Π»ΠΎΠ³ > wararka internetka > Nuglaanta sudo taas oo u ogolaanaysa mudnaanta sare u qaadida marka la isticmaalayo xeerar gaar ah

Nuglaanta sudo taas oo u ogolaanaysa mudnaanta sare u qaadida marka la isticmaalayo xeerar gaar ah

In utility Sudo, loo isticmaalo in lagu abaabulo fulinta amarada iyadoo ka wakiil ah isticmaalayaasha kale, la aqoonsaday nuglaanta (CVE-2019-14287), kaas oo kuu ogolaanaya inaad fuliso amarrada leh xuquuqda xididka, haddii ay jiraan xeerar ku jira goobaha sudoers kaas oo ku jira qaybta jeegga aqoonsiga isticmaalaha ka dib ereyga furaha "ALL" waxaa jira mamnuucid cad oo ah in lagu socdo xuquuqda xididka ("... (Dhammaan,! xidid) ...). Nuglaanta kama muuqato qaabaynta caadiga ah ee qaybinta.

Haddii sudoers ay leeyihiin ansax, laakiin aad dhif u ah ficil ahaan, qawaaniin u oggolaanaya fulinta amar gaar ah oo hoos yimaada UID isticmaale kasta oo aan ahayn xidid, weeraryahan awood u leh inuu fuliyo amarkan wuxuu dhaafi karaa xaddidaadda la aasaasay wuxuuna fulin karaa amarka xuquuqda xididka. Si aad uga gudubto xaddidaadda, kaliya isku day inaad ku fuliso amarka ku qeexan goobaha UID β€œ-1” ama β€œ4294967295”, taasoo u horseedi doonta in lagu fuliyo UID 0.

Tusaale ahaan, haddii uu jiro sharci ku jira goobaha kaas oo siinaya isticmaale kasta xaqa uu u leeyahay in uu fuliyo barnaamijka /usr/bin/id ee hoos yimaada UID kasta:

myhost ALL = (ALL,! xidid) /usr/bin/id

ama ikhtiyaar u oggolaanaya fulinta kaliya bob isticmaale oo gaar ah:

myhost bob = (ALL,! xidid) /usr/bin/id

Isticmaaluhu wuxuu fulin karaa "sudo -u '#-1' id" iyo / usr / bin / id utility waxaa loo bilaabi doonaa xidid ahaan, in kasta oo mamnuucida cad ee goobaha. Dhibaatadu waxay tahay iyada oo la iska indho-tiray qiyamka gaarka ah "-1" ama "4294967295", taas oo aan u horseedin isbeddel ku yimaada UID, laakiin maadaama sudo lafteedu ay horeyba u socdaan sidii xidid, iyada oo aan la beddelin UID, amarka bartilmaameedka ayaa sidoo kale ah. bilaabay xuquuqda xididka.

Qaybinta SUSE iyo openSUSE, iyada oo aan lagu sheegin "NOPASSWD" qaanuunka dhexdiisa, waxaa jirta nuglaanta aan laga faa'iidaysan, maadaama sudoers-ka qaabka "Defaults targetpw" uu si toos ah u shaqeeyo, kaas oo ka hubinaya UID ka dhanka ah keydka sirta ah oo kugu dhiirigeliya inaad geliso erayga sirta ah ee isticmaalaha. Nidaamyadan oo kale, weerar ayaa la qaadi karaa oo keliya haddii ay jiraan xeerar qaabka:

myhost ALL = (ALL,! xidid) NOPASSWD: /usr/bin/id

Arrintu waxay go'an tahay siideynta Sudo 1.8.28. Hagaajinta sidoo kale waxaa lagu heli karaa foomka balastar. Xirmooyinka qaybinta, nuglaanta mar hore ayaa lagu hagaajiyay Debian, Arch Linux, SUSE/furanSUSE, Ubuntu, Gentoo ΠΈ FreeBSD. Waqtiga qorista, dhibaatadu waxay ahaanaysaa mid aan la hagaajin RHEL ΠΈ Fedora. Nuglaanta waxaa aqoonsaday baarayaasha amniga ee Apple.

Source: opennet.ru

Add a comment