Guessing that SUDO is in use in Hass.IO, is this flaw handled?

Hass.io doesn’t use sudo. Hass.io is a Docker based install method, and is little more than a few containers.

1 Like

Yes, and the linux underneath that? When users install hass.io, the linux underneath it is almost completely hidden, so IMHO this needs to be fixed from developers.

If you want to use a full Linux distro, install Hass.io over debian/Ubuntu.

I think you missed his point. In HassIO the containers have an Alpine Linux base, as far as I know. He’s asking about the newly discovered SUDO vulnerability in Linux, and if it’s patched on the containers.

Though that would likely need to be patched upstream (in Alpine) then have the containers patched to use the newer version of Alpine.

In reality though, if the system is properly secured it’s not likely to see untrusted code running on it, so this vulnerability isn’t likely to be exploitable.

2 Likes

Under that the images use HassOS, and this requires that the attacker has a local account with sudo access.

Given that there’s no access to the underlying OS remotely, the risk, even if it’s enabled, is effectively zero.

GRIN, yes, and publicly unknown vulnerabilities does not exist :wink:
I doubt there is a risk here, but known problems MUST be eliminated.

Just check out hassos

Why? This doesn’t really have anything to do with this (CVE-2019-14287) vulnerability.

1 Like

I’m a bit worried about the ‘inertia’ in a question about a known vulnerability in all linux distros.
I see a lot of ‘defensivness’, and belittering of the problem, and not much answers.
I’m currently VERY busy with our 200 servers because of this, being quite security conscious has always been a part of my career, and it was actually one of the reasons I originally opted for hass.io and home assistant.
I haven’t chosen the linux distro for HA, and I’m certain that there are a lot of very solid thinking about choosing the platform, so it’s not a question of critizising a choice of platform (which wouldn’t make any sense considering that all linux’s are subject to this problem) so I’m just curious what the plans and timeframe are for resolving this issue.

The HA team doesn’t have anything to do with patching Alpine though? This seems like a question for the Alpine team that builds the docker images that HA is based on.

1 Like

Good point, but as HA has chosen the platform, it’s part of their ‘job’ to ensure that quality on behalf of all their users / customers (yes, with people using nabu casa, they are now customers) and get a plan for solution from Alpine Linux.

It would appear they don’t include sudo in the base image…so your concerns are null

image

2 Likes

Pretty sure sudo isn’t shipped in alpine by default

1 Like

The flaw seems to only affect non default configurations of sudo
https://access.redhat.com/security/cve/cve-2019-14287

2 Likes

It’s ONLY for SUDO’ers with a root exclusion, that is true.

That is great news.

Stolen from the web

"This flaw only affects specific, non-default configurations of sudo, in which sudoers configuration entry allows a user to run a command as any user except root, for example:

bob myhost = (ALL, !root) /usr/bin/vi

This configuration allows user bob to run vi command as any other user except root. However, this flaw also allows bob to run the vi command as root by specifying the target user using the numeric id of -1. Only the specified command can be run, this flaw does NOT allow user to run other commands that those specified in the sudoers configuration.

Any other configurations of sudo (including configurations that allow user to run commands as any user including root and configurations that allow user to run command as a specific other user) are NOT affected by this flaw."

As I see it, if I give user ‘bob’ sudo permissions for everything except for vi (the bob myhost =(ALL, !root) /usr/bin/vi ) then the user bob could run vi as Sudo with this hack.

Can’t see it being an issue in Hass.io or in hassbian. For those that have installed it direct in Linux that is up to you to see you do not have this type of config.

6 Likes

I was typing almost the same exact message. I hate when people scream security vulnerability without knowing what the vulnerability is. Sure there is a vulnerability in sudo, but it’s only exposed in a weird configuration such as (ALL,!root) who does that ? :slight_smile:

5 Likes

I have no idea, we had to re read the cve a few times at work to figure out what was actually going on with this exploit. TL;DR for everyone else its real bug but the attack vector is almost non existent in any production let’s alone a home application.

1 Like