Replacing system sudo with MacPorts sudo?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Replacing system sudo with MacPorts sudo?

Wowfunhappy@gmail.com
Hello all!

The recently discovered vulnerability in sudo is making me nervous about my old systems. This may be unreasonable, as these systems have plenty of other vulnerabilities and I behave accordingly. However, sudo just seems like such a vital component, and this exploit particularly bad.

It doesn't look like MacPorts sudo has any dependencies, so how terrible of an idea would it be to just plop it in /usr/bin/? Do any obvious pitfalls come to mind, perhaps around configuration file paths? (I also of course realize this would be totally "unsupported", whatever that really means under the circumstances... 🙂)

I could also just wait for Apple's next open source drop, and see if their patched sudo can be compiled to target older systems... better idea?
Reply | Threaded
Open this post in threaded view
|

Re: Replacing system sudo with MacPorts sudo?

MacPorts - Users mailing list
On Feb 11, 2021, at 17:32, [hidden email] <[hidden email]> wrote:
Hello all!

The recently discovered vulnerability in sudo is making me nervous about my old systems. This may be unreasonable, as these systems have plenty of other vulnerabilities and I behave accordingly. However, sudo just seems like such a vital component, and this exploit particularly bad.

I don't believe that any exploits have been found in-the-wild with regard to this potentially dangerous vulnerability.

It doesn't look like MacPorts sudo has any dependencies, so how terrible of an idea would it be to just plop it in /usr/bin/? Do any obvious pitfalls come to mind, perhaps around configuration file paths? (I also of course realize this would be totally "unsupported", whatever that really means under the circumstances... 🙂)

I think the only danger would be if there are some macOS dependancies that only Apple knows about and has considered when distributing the recent Mojave, Catalina and Big Sur updates. Not sure why you wouldn't just install it as a MacPorts install to override the one you have in /usr/bin.

I could also just wait for Apple's next open source drop, and see if their patched sudo can be compiled to target older systems... better idea?

Do you have reason to believe that the patched sudo distributed by Apple is any different from that distributed by the sudo developer?

-Al-


smime.p7s (5K) Download Attachment
raf
Reply | Threaded
Open this post in threaded view
|

Re: Replacing system sudo with MacPorts sudo?

raf
In reply to this post by Wowfunhappy@gmail.com
On Thu, Feb 11, 2021 at 08:32:19PM -0500, "[hidden email]" <[hidden email]> wrote:

> Hello all!
>
> The recently discovered vulnerability in sudo is making me nervous
> about my old systems. This may be unreasonable, as these systems have
> plenty of other vulnerabilities and I behave accordingly. However,
> sudo just seems like such a vital component, and this exploit
> particularly bad.
>
> It doesn't look like MacPorts sudo has any dependencies, so how
> terrible of an idea would it be to just plop it in /usr/bin/? Do any
> obvious pitfalls come to mind, perhaps around configuration file
> paths? (I also of course realize this would be totally "unsupported",
> whatever that really means under the circumstances... 🙂)
>
> I could also just wait for Apple's next open source drop, and see if
> their patched sudo can be compiled to target older systems... better
> idea?

Just a personal opinion, but if you are the only person
using your mac, and hence the only person likely to use
sudo, I'd recommend leaving the system version alone,
and just make sure that you only use the latest version
via macports, by setting up your path and/or shell
aliases accordingly.

Unless you've set set them up yourself, there are
probably no automated uses of sudo that you would need
to worry about. But I am just assuming that.

If you want to change the system version anyway, I'd
suggest renaming it, and then creating a symlink in its
place that refers to the macports version, then keep an
eye out for any problems. You will probably need to
temporarily disable SIP in order to do that.

cheers,
raf

Reply | Threaded
Open this post in threaded view
|

Re: Replacing system sudo with MacPorts sudo?

Bjarne D Mathiesen
In reply to this post by Wowfunhappy@gmail.com
 has just released updates for this :

https://support.apple.com/kb/HT212177

Sudo

Available for: macOS Big Sur 11.2, macOS Catalina 10.15.7, macOS Mojave
10.14.6
Impact: A local attacker may be able to elevate their privileges
Description: This issue was addressed by updating to sudo version 1.9.5p2.

--
Bjarne D Mathiesen
Korsør ; Danmark ; Europa
----------------------------------------------------------------------
denne besked er skrevet i et totalt M$-frit miljø
macOS 10.15.7 Cataina
2 x 3,46 GHz 6-Core Intel Xeon ; 112 GB 1333 MHz DDR3 ECC
ATI Radeon RX 590 8 GB
Reply | Threaded
Open this post in threaded view
|

Re: Replacing system sudo with MacPorts sudo?

ryandesign2
Administrator


On Feb 12, 2021, at 02:45, Bjarne D Mathiesen wrote:

>  has just released updates for this :
>
> https://support.apple.com/kb/HT212177
>
> Sudo
>
> Available for: macOS Big Sur 11.2, macOS Catalina 10.15.7, macOS Mojave
> 10.14.6
> Impact: A local attacker may be able to elevate their privileges
> Description: This issue was addressed by updating to sudo version 1.9.5p2.

Right, and the question was what to do about systems older than macOS Mojave for which Apple has not issued that update.