ProHoster > Blog > litaba tsa inthanete > Kotsi ho sudo e lumellang tokelo ho eketseha ha o sebelisa melao e itseng

Kotsi ho sudo e lumellang tokelo ho eketseha ha o sebelisa melao e itseng

Ka thuso Ho rata, e sebelisetsoang ho hlophisa ho etsoa ha litaelo molemong oa basebelisi ba bang, tsebahatsoa bofokodi (CVE-2019-14287), e u lumellang hore u phethe litaelo tse nang le litokelo tsa motso, haeba ho na le melao ho litlhophiso tsa sudoers moo karolo ea tlhahlobo ea ID ea mosebelisi ka mor'a hore lentsoe la sehlooho "ALL" ho na le thibelo e hlakileng ea ho sebetsa ka litokelo tsa motso ("... (TSOHLE, ! motso) ..." ). Kotsi ha e hlahe ho litlhophiso tsa kamehla ho phano.

Haeba li-sudoers li nepahetse, empa li sa tloaeleha haholo ts'ebetsong, melao e lumellang ho etsoa ha taelo e itseng tlas'a UID ea mosebedisi leha e le ofe ntle le motso, mohlaseli ea nang le matla a ho phethahatsa taelo ena a ka tlōla thibelo e behiloeng mme a phethahatsa taelo ka litokelo tsa motso. Ho qoba moeli, leka feela ho phethahatsa taelo e boletsoeng litlhophisong ka UID "-1" kapa "4294967295", e tla lebisa ts'ebetsong ea eona ka UID 0.

Mohlala, haeba ho na le molao litlhophisong tse fang mosebelisi ofe kapa ofe tokelo ea ho etsa lenaneo /usr/bin/id tlasa UID efe kapa efe:

myhost TSOHLE = (TSOHLE, !root) /usr/bin/id

kapa khetho e lumellang ho etsoa feela bakeng sa mosebelisi ea itseng:

myhost bob = (ALL, !root) /usr/bin/id

Mosebelisi a ka sebelisa "sudo -u '#-1' id" mme sesebelisoa sa /usr/bin/id se tla hlahisoa joalo ka motso, leha ho na le thibelo e hlakileng litlhophisong. Bothata bo bakoa ke ho hlokomoloha litekanyetso tse khethehileng "-1" kapa "4294967295", tse sa lebiseng phetohong ea UID, empa kaha sudo ka boeona e se e ntse e sebetsa e le motso, ntle le ho fetola UID, taelo ea sepheo le eona e teng. qalisoa ka litokelo tsa motso.

Likabelong tsa SUSE le OpenSUSE, ntle le ho hlakisa "NOPASSWD" molaong, ho na le ts'oaetso. e sa sebelisoeng, kaha ho li-sudoers mokhoa oa "Defaults targetpw" o lumelloa ka mokhoa oa kamehla, o lekola UID khahlano le database ea password mme e o khothaletsa ho kenya phasewete ea motho eo u batlang ho e sebelisa. Bakeng sa litsamaiso tse joalo, tlhaselo e ka etsoa feela haeba ho na le melao ea foromo:

myhost TSOHLE = (TSOHLE, !root) NOPASSWD: /usr/bin/id

Taba e lokisitsoe tokollong Sudo 1.8.28. Tokiso e boetse e fumaneha ka foromo patch. Likiting tsa kabo, ts'oaetso e se e lokisitsoe Debian, Arch Linux, SUSE/openSUSE, Botho, Gentoo и FreeBSD. Nakong ea ho ngola, bothata bo ntse bo sa rarolloe RHEL и Fedora. Ho ba kotsing ho ile ha khetholloa ke bafuputsi ba ts'ireletso ba Apple.

Source: opennet.ru

Eketsa ka tlhaloso