• Overview
    Key features
    • Observability
    • Auto-scaling
    • Multiframework
    • Security
    • Django
    • Next.js
    • Drupal
    • WordPress
    • Symfony
    • Magento
    • See all frameworks
    • PHP
    • Python
    • Node.js
    • Ruby
    • Java
    • Go
  • Industries
    • Consumer Goods
    • Media/Entertainment
    • Higher Education
    • Government
    • Ecommerce
  • Pricing
  • Featured articles
    • Switching to Platform.sh can help IT/DevOps organizations drive 219% ROI
    • Organizations, the ultimate way to manage your users and projects
  • Support
  • Docs
  • Login
  • Request a demo
  • Free Trial
Meet Upsun. The new, self-service, fully managed PaaS, powered by Platform.sh.Try it now
Cover image

Sudo bug doesn't affect Platform.sh users

27 January, 2021

Yesterday security firm Qualys announced a vulnerability known as CVE-2021-3156, or by the slightly catchier nickname "Baron Samedit." The exploit can allow escalation of privileges on Linux and Unix systems (basically most of The Internet), which would give an unauthorized user access to the sudo command. The sudo command allows a user to assume permissions of another user, most commonly the root user on the system, who has near complete control over data and software running on the computer. That's bad.

TL;DR: Platform.sh customers are protected from the CVE-2021-3156 'Baron Samedit' exploit

Platform.sh is built on the core principle of separation of concerns and on the idea that once built, software shouldn't be able to make edits to itself. This seems pretty logical, but it's not usually the way software for the Web is built. Our Chief Product Officer, Ori Pekelman, explained this critical difference between the way Platform.sh and the way traditional web sites and apps build in containers.

Platform.sh doesn't even include the sudo or sudoedit processes in containers we deploy. No, really, look:

So in the case of 'Baron Samedit', if the command isn't available, it can't be exploited by an attacker.

Separation of concerns at Platform.sh

The key concerns we're separating in this case are the building of software and the running of that software. Platform.sh isn't like traditional web hosting platforms in many ways. In particular, when your applications are on Platform.sh, the processes that compile or prepare software (for example, to bundle in dependencies) are entirely disconnected from the processes that run your applications. Since you don't need sudo to run your application, we don't even install it in the runtime containers.

If your software does need to write to the filesystem, that can happen during the build phase before it's available to the Internet and where it's built repeatably and consistently from Git. But never during the run phase.

Don't allow your software to write to itself

Some of the most common vulnerabilities in web software come from allowing users to upload code to an application or allowing applications to modify files that the computer can execute.

That's why Platform.sh deploys the containers that actually run your software with read-only filesystems. So even if an attacker managed to upload code to your app, the app itself could not be changed.

So in the case of "Baron Samedit," you're doubly protected. Even if we did have the sudo command installed, an attacker would also need to write to the /etc/passwd file, which, of course, is not writable at all on Platform.sh.

Further reading, and how to ask questions

If you want to go deeper into how Platform.sh works to protect your website or application security by design, check out these posts from our team:

And of course we're always available to answer customer's questions via our Customer Care team, or our public Slack channel.

Get the latest Platform.sh news and resources

Related Content

We can’t wait for SBOMs to be demanded by regulation

We can’t wait for SBOMs to be demanded by regulation

AboutSecurity and complianceTrust CenterCareersPressContact us
Thank you for subscribing!
Field required
Leader Winter 2023
System StatusPrivacyTerms of ServiceImpressumWCAG ComplianceAcceptable Use PolicyManage your cookie preferencesReport a security issue
© 2024 Platform.sh. All rights reserved.
Supported by Horizon 2020's SME Instrument - European Commission 🇪🇺