
CVE-2019-14287: Sudo Bug Allows Restricted Users to Run Commands as Root - massacre
https://sensorstechforum.com/cve-2019-14287-sudo-bug/
======
hannob
This is technically an interesting bug, but the implications are very minor.
The only situation where this can be exploited is when you allow a user to
execute something as any other users except root. This seems pretty obscure
and probably affects only an extremely small number of configurations.

Pretty much all the headlines I saw on this were overstating or stretching the
impact.

~~~
cracauer
No question about the headlines overstating.

But I don't think this is a rare situation. For example you can allow a bunch
of users to restart and change a buildbot infrastructure (which runs as its
own user, not root).

~~~
derekp7
But you are giving them access to that specific build user, not "ALL" followed
by "!root".

------
el_duderino
Yesterday's discussion:
[https://news.ycombinator.com/item?id=21252285](https://news.ycombinator.com/item?id=21252285)

------
admax88q
Does anybody actually have sudo access on a system that they don't also have
100% control over?

I feel like linux as a true multi-user system, especially to the level of
having sudo access, is such a minority use case that I would never actually
trust it in production.

~~~
PureParadigm
In high performance computing, the supercomputing cluster is usually a shared
Linux environment. Each user gets a home directory and groups are used for
projects. As an intern working on one, they gave me limited sudo access to run
a few commands but not everything (stuff like reading logs was fine but not
able to power off the cluster).

