One of Linux's most important commands had a glaring security flaw

One of Linux's most important commands had a glaring security flaw

The quirk revolved around sudo’s treatment of user IDs. If you typed the command with a user ID of -1 or its unsigned equivalent 4294967295, it would treat you as if you had root access (user ID 0) even as it recorded the actual user ID in the log. The user IDs in question don’t exist in the password database, either, so the command won’t require a password to use.

Linux users can update to a newer sudo package (1.8.28 or later) to fix the flaw. You might not be immediately vulnerable, as any attacker will need to have command line control over your system before they can even consider exploiting the flaw — at that point, you probably have larger problems. Still, it’s not entirely comforting to know that such an important command was vulnerable.

div#stuning-header .dfd-stuning-header-bg-container {background-image: url(https://safevoip.co.uk/wp-content/uploads/2017/04/slider.jpg);background-size: initial;background-position: top center;background-attachment: initial;background-repeat: no-repeat;}#stuning-header div.page-title-inner {min-height: 650px;}