A recently-patched bug in the widely-used sudo command makes for interesting reading.
The patch reminds us of some important points in security-related programming.
The UNIX sudo command is usually translated to mean “do as superuser” – in other words, it lets you run administrative commands one at a time, without logging in as the superuser (root, in UNIX parlance).
More accurately, sudo stands for “substitute user identity and do“, so that you can use it to take on an identity other than root, such as a backup user or a database administrator.
Clearly, sudo is the sort of program in which a vulnerability will almost certainly lead to an escalation-of-privilege exploit. Since sudo’s main purpose is to let you enjoy root-like powers in a controlled way, anyone who can sneak past sudo’s permission checks can turn a minor intrusion into an effectively unlimited one.
So why use a potentially risky command like sudo at all? The answer is that sudo can improve security significantly: