I-ProHoster > Π‘Π»ΠΎΠ³ > izindaba ze-inthanethi > Ukuba sengozini ku-sudo okuvumela ilungelo ukukhuphuka lapho usebenzisa imithetho ethile

Ukuba sengozini ku-sudo okuvumela ilungelo ukukhuphuka lapho usebenzisa imithetho ethile

Esisetshenziswa Sudo, esetshenziselwa ukuhlela ukukhishwa kwemiyalo egameni labanye abasebenzisi, ikhonjiwe ukuba sengozini (I-CVE-2019-14287), okuvumela ukuthi wenze imiyalo enamalungelo ezimpande, uma kunemithetho kuzilungiselelo ze-sudoers lapho esigabeni sokuhlola i-ID yomsebenzisi ngemuva kwegama elingukhiye elivumela elithi "ALL" kukhona ukwenqatshelwa okusobala kokusebenza ngamalungelo ezimpande ("... (KONKE, !impande) ..." ). Ukuba sengozini akuveli ekucushweni okuzenzakalelayo ekusabalaliseni.

Uma ama-sudoers evumelekile, kodwa eyivelakancane ekusebenzeni, imithetho evumela ukwenziwa komyalo othile ngaphansi kwe-UID yanoma yimuphi umsebenzisi ngaphandle kwempande, umhlaseli onegunya lokwenza lo myalo angawudlula umkhawulo omisiwe futhi akhiphe umyalo ngo amalungelo ezimpande. Ukuze weqe umkhawulo, vele uzame ukwenza umyalo oshiwo kuzilungiselelo nge-UID β€œ-1” noma β€œ4294967295”, okuzoholela ekusebenzeni kwayo nge-UID 0.

Isibonelo, uma kunomthetho kuzilungiselelo onikeza noma yimuphi umsebenzisi ilungelo lokusebenzisa uhlelo/usr/bin/id ngaphansi kwanoma iyiphi i-UID:

myhost BONKE = (BONKE, !impande) /usr/bin/id

noma inketho evumela ukwenziwa komsebenzisi othize kuphela:

myhost bob = (BONKE, !impande) /usr/bin/id

Umsebenzisi angakwazi ukusebenzisa i-id ethi β€œsudo -u '#-1'” futhi insiza ethi /usr/bin/id izokwethulwa njengempande, naphezu kokuvinjelwa okusobala kuzilungiselelo. Inkinga ibangelwa ukunganaki amanani akhethekile "-1" noma "4294967295", angaholeli ekushintsheni kwe-UID, kodwa njengoba i-sudo ngokwayo isivele isebenza njengempande, ngaphandle kokushintsha i-UID, umyalo oqondisiwe nawo yethulwe ngamalungelo ezimpande.

Ekusabalazweni kwe-SUSE ne-openSUSE, ngaphandle kokucacisa okuthi β€œNOPASSWD” emthethweni, kukhona ubungozi. ayisebenziseki, njengoba kuma-sudoers imodi ethi β€œDefaults targetpw” ivulwa ngokuzenzakalelayo, ehlola i-UID ngokumelene nesizindalwazi sephasiwedi futhi ikutshela ukuthi ufake iphasiwedi yomsebenzisi oqondiwe. Kulezi zinhlelo, ukuhlasela kungenziwa kuphela uma kunemithetho yefomu:

myhost BONKE = (BONKE, !impande) NOPASSWD: /usr/bin/id

Inkinga ilungisiwe ekukhululweni I-Sudo 1.8.28. Ukulungiswa kuyatholakala futhi ngefomu isichibi. Kumakhithi okusabalalisa, ukuba sengozini sekulungisiwe kakade Debian, I-Arch Linux, SUSE/openSUSE, Ubuntu, I-Gentoo ΠΈ I-FreeBSD. Ngesikhathi sokubhala, inkinga ihlala ingalungisiwe RHEL ΠΈ Fedora. Ukuba sengozini kukhonjwe abacwaningi bezokuphepha bakwa-Apple.

Source: opennet.ru

Engeza amazwana