Fixed the Privilege Escalation Vulnerability of User omm
Applicable Version
All MRS versions
Resolved Issue
Rectify the issue that user omm can use the installSudoExecute.sh script to obtain the permission of user root.
Structure of the Patch Package
- install.sh: patch installation script.
- ips.ini: stores the IP addresses of all nodes in the cluster. Modify this file based on the actual IP addresses of the nodes in the cluster. Each IP address occupies a line. No blank line is allowed between IP addresses. Leave a blank line at the end of the file.
- scp-util.exp: SCP tool script.
- ssh-util.exp: SSH tool script.
- Sudo_Vulnerability_20210330: directory for storing the sudo_repair.sh script. You can copy the directory to the folder for running the script on each node.
- sudo_repair.sh: script for fixing the vulnerability.
- README.md: describes how to use the patch tool.
Installing the Patch
- Click the address in the corresponding area of the cluster to download the patch package.
- CN-Hong Kong: https://mrs-container1-patch-ap-southeast-1.obs.ap-southeast-1.myhuaweicloud.com/MRS_Common_Script/MRS_All_Sudo_Vulnerability_20210330.tar.gz
- AP-Bangkok: https://mrs-container1-patch-ap-southeast-2.obs.ap-southeast-2.myhuaweicloud.com/MRS_Common_Script/MRS_All_Sudo_Vulnerability_20210330.tar.gz
- AP-Singapore: https://mrs-container1-patch-ap-southeast-3.obs.ap-southeast-3.myhuaweicloud.com/MRS_Common_Script/MRS_All_Sudo_Vulnerability_20210330.tar.gz
- Log in to the active master node of the cluster as the root user.
- Upload the patch package to /root/.
- Run the following command to decompress the patch tool package MRS_All_Sudo_Vulnerability_20210330.tar.gz to the current directory (/root).
tar -zxf MRS_All_Sudo_Vulnerability_20210330.tar.gz
- Run the following command to go to the directory where the ips.ini file is located.
cd /root/MRS_All_Sudo_Vulnerability_20210330/
- Configure the IP addresses of all nodes in the cluster in the ips.ini file. Each IP address occupies a line. No blank line is allowed between IP addresses. Leave a blank line at the end of the file.
- Run the following script to install the patch.
After the script is run, you need to enter the correct password of user root. If the password is incorrect, the account may be locked for 5 minutes.
cd /root/MRS_All_Sudo_Vulnerability_20210330/
dos2unix ./*
chmod +x ./* -R
sh install.sh "install"
Uninstalling a Patch
Run the following script to uninstall the patch. After the script is run, you need to enter the correct password of user root. If the password is incorrect, the account may be locked for 5 minutes during the SSH process of the script.
cd /root/MRS_All_Sudo_Vulnerability_20210330/
sh install.sh "uninstall"
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.