A newly disclosed vulnerability in sudo allows local privilege escalation via a logic flaw in its --chroot handling. No memory corruption needed — just some clever abuse of trusted boundaries.

💡 Not a Medium member? You can still read this article in full with [Click here]

In Unix-like systems, sudo (short for "superuser do") is a utility that allows a permitted user to execute a command as the superuser or another user. It's essentially a gatekeeper to privileged operations, and for that reason, it's a juicy target for attackers.

What makes sudo unique is that it’s marked as setuid, meaning it always runs with the privileges of the file's owner—in this case, root—even if an unprivileged user launches it. That tiny flag is a massive security responsibility.

The flaw — recently uncovered — lies not in a buffer overflow or heap mismanagement, but in how sudo handles the --chroot option and its integration with the Name Service Switch (NSS) system.

Here’s the attack breakdown:

1. chroot Jails
   The…