4 comments

[ 4.1 ms ] story [ 20.2 ms ] thread
This is not good... Haven't tried it yet, but it's a big security hole in "sudo". Patch up your Linux systems now!
tried it on my centos and ubuntu systems... doesn't work

:/

It only works if you've got a specific, somewhat unlikely configuration. You need to have ALL in the user specifier, but not root (or else it's not a vuln, just a bug). So

> username ALL=(ALL, !root) ALL

would be vulnerable; this is trying to let username run commands as any other user _except_ root, but using this vuln the user can get around it.

You can duplicate it by running (as a user with sudo ALL privileges) `sudo -u#-1 id`; it'll show 0, for root.