Hacker News new | ask | show | jobs
by LeifCarrotson 584 days ago
They can execute anything they like as root... by entering their password.

This post shows a way that clever code can execute anything it likes as root without knowing the user's password. That seems pretty significant to me.
3 comments
rlpb 584 days ago
> They can execute anything they like as root... by entering their password.

If it has control of your user account, then it can just arrange to wrap your shell prompt and wait for you to sudo something else. The sudo password prompt in its default arrangement doesn't really provide much security there and isn't expected to.

link
withinboredom 584 days ago
On a server, you may be waiting months for that human to login and use sudo. Maybe even years.
link
chmod775 584 days ago
On a properly configured server you'll be waiting forever, because the users actually running the applications on that server aren't the same users who have privileges to make changes to the system or have access to stuff like sudo. So if you take over the nginx/postgres/whatever user, you're not really going to get anywhere.

On the other hand you probably don't need to. Those users already expose all the juicy data on the server. You don't gain much from obtaining root anyways, except better persistence.

This attack might be more interesting when chained with some other exploit that gains access to a users system via their e-mail client or browser. In other words nice if you're NSO Group making exploits for targeting individuals, but not that useful if you're trying to make a botnet.

link
rlpb 584 days ago
That's not really relevant nowadays. Most attacks are done indiscriminately and en-masse, so an attacker wouldn't have to wait very long in practice.

Only in "advanced persistent thread" territory is your point really relevant, but the attack I describe is much more widely applicable. Having to wait a while is therefore not in any way a mitigation. In practice then, one cannot assume any security from sudo requiring a password.

https://en.wikipedia.org/wiki/Advanced_persistent_threat

link
nneonneo 584 days ago
Somewhat tangentially, I will say that Touch ID-based sudo is a real upgrade over password sudo. It still gives you that extra moment to reflect on whether you really want to run that command (unlike passwordless sudo), without being burdensome.
link
akira2501 584 days ago
Using print server vulnerabilities to gain local privilege escalation is reminiscent of Windows 95. The year of "Linux on the Desktop," I guess.
link
Yasuraka 584 days ago
In fact it's also reminiscent of Windows 11.
link