@aeveltstra and then i've felt bad for being paranoid about this little guy. I literally control-shift-F3 to use another TTY as root..

Actually i use sudo now, after suid-ing scripts doesn't work.(it's disabled, shell script security sucks) but only for a few things very particularly like `sudo pacman -Sy`.

People probably should sandbox your browser & email client, at least. But paranoid about `firejail` too. (use bubblewrap)

Alas, paranoid or not, we're all insecure.

@aeveltstra

> "Sudo Flaw Lets Linux Users Run Commands As Root Even When They're Restricted" – thehackernews.com/2019/10/linu

First thought: Yikes!

Second thought…*man* I love being on a rolling release distro—the new sudo package is already in the #void repo

@aeveltstra

> "Sudo Flaw Lets Linux Users Run Commands As Root Even When They're Restricted" – thehackernews.com/2019/10/linu

Third thought: turns out this vulnerability only occurred for configurations where users were allowed to `sudo` into *any* non-root user. (The vulnerability allowed them to also become root).

That seems like a bad idea anyway, so hopefully such configs were rare?

sudo.ws/alerts/minus_1_uid.htm

@codesections I hope so too. But all I need to do to find an example is to look at myself: I use Linux casually and on already restricted devices: chances are my installations are vulnerable due to configuration flaws.

@codesections @aeveltstra It's an odd setup where you can have this problem.

Generally I have seen sudo setups where:
* You don't care what the new user is
* You specify the one new user the command can be run as.

I think neither of those are vulnerable. Still, it's good to fix it.

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!