2.5 Admins 2.5 Admins 254: chrudo
Jul 3, 2025
The hosts dive into a critical vulnerability in sudo, sparking a debate about security practices and alternatives like doas. They discuss VMware's audits on customers, emphasizing the challenges of software license compliance. Navigating firewall configurations becomes essential as they explore optimizing outbound port settings for improved security. There's a call to avoid software monocultures, reflecting on the Unix philosophy and balancing simplicity with functionality. Plus, practical insights on disaster recovery with ZFS are shared!
AI Snips
Chapters
Transcript
Episode notes
sudo's risky chroot feature deprecated
- The sudo chroot feature introduced in 2020 caused a severe vulnerability allowing arbitrary root access.
- The feature was intended for release engineering, not security, and is now deprecated due to its risks.
Avoid set UID binaries risks
- Avoid set UID binaries like sudo when possible due to inherent risks.
- Consider alternatives like FreeBSD's MAC framework to reduce attack surface.
Beware feature creep in security
- Feature creep in core software like sudo can introduce serious security holes.
- Maintaining a clear scope and minimizing features is vital to security projects.
