How do I make sudo "trusted"?
Aleksey Nogin
aleksey at nogin.org
Fri Mar 12 06:39:14 UTC 2004
On 11.03.2004 07:36, Stephen Smalley wrote:
> sudo authenticates the current user, not the target user,
Well, sudo + sudoers does authenticate the "I am somebody who can act on
behalf of the target user", why is this insufficient?
> so having it change the SELinux user identity would be dangerous.
Even if explicitly permitted by sudoers?
> It can change
> roles (if the current user identity is authorized for the role) via the
> -r option. Hence, if you add yourself to policy/users and authorize
> yourself for staff_r and sysadm_r and reload your policy, then you
> should be able to do sudo -r sysadm_r <command>.
Do you expect everybody who are used to doing things via sudo (a lot of
places where more than one user has admin access have policies insisting
on sudo - in particular because sudo will log everything) to be willing
to figure this out? Why is this information (e.g. "user x is allowed to
act as root when re-authenticated") has to be listed in _two_ separate
places (sudoers and policies)?
> In order to have sudo safely change the SELinux user identity (to root),
> you would need another mechanism for specifying what roles/domains are
> permitted to the calling user, e.g. new fields in /etc/sudoers.
That would be the best solution IMHO. Should I file a Bugzilla RFE?
> Even
> then, you still need to start from staff_r in order to reach sysadm_r;
> the policy doesn't allow user_r to transition to sysadm_r (if SELinux is
> in enforcing mode).
Not sure I understand what you are saying - it works with su, why can't
it be made to work with sudo?
----
On 11.03.2004 13:17, Jeff Johnson wrote:
> All true.
>
> But there's always
> sudo su -
I wish it was that easy...
audit(1079073344.898:0): avc: denied { execute } for pid=20828
exe=/usr/bin/sudo name=su dev=hda2 ino=3662894
scontext=user_u:user_r:sudo_t tcontext=system_u:object_r:su_exec_t
tclass=file
audit(1079073344.898:0): avc: denied { entrypoint } for pid=20828
exe=/usr/bin/sudo path=/bin/su dev=hda2 ino=3662894
scontext=user_u:user_r:user_t tcontext=system_u:object_r:su_exec_t
tclass=file
audit(1079073344.898:0): avc: denied { read } for pid=20828
exe=/usr/bin/sudo path=/bin/su dev=hda2 ino=3662894
scontext=user_u:user_r:sudo_t tcontext=system_u:object_r:su_exec_t
tclass=file
audit(1079073344.930:0): avc: denied { search } for pid=20828
exe=/bin/su dev= ino=791 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:security_t tclass=dir
audit(1079073344.930:0): avc: denied { read write } for pid=20828
exe=/bin/su name=access dev= ino=6 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:security_t tclass=file
audit(1079073344.930:0): avc: denied { compute_av } for pid=20828
exe=/bin/su scontext=user_u:user_r:user_t
tcontext=system_u:object_r:security_t tclass=security
audit(1079073344.935:0): avc: denied { read } for pid=20828
exe=/bin/su name=shadow dev=hda2 ino=229911
scontext=user_u:user_r:user_t tcontext=system_u:object_r:shadow_t
tclass=file
audit(1079073344.935:0): avc: denied { getattr } for pid=20828
exe=/bin/su path=/etc/shadow dev=hda2 ino=229911
scontext=user_u:user_r:user_t tcontext=system_u:object_r:shadow_t
tclass=file
audit(1079073345.026:0): avc: denied { compute_user } for pid=20828
exe=/bin/su scontext=user_u:user_r:user_t
tcontext=system_u:object_r:security_t tclass=security
audit(1079073345.079:0): avc: denied { check_context } for pid=20828
exe=/bin/su scontext=user_u:user_r:user_t
tcontext=system_u:object_r:security_t tclass=security
audit(1079073345.080:0): avc: denied { compute_relabel } for
pid=20828 exe=/bin/su scontext=user_u:user_r:user_t
tcontext=system_u:object_r:security_t tclass=security
audit(1079073345.080:0): avc: denied { relabelfrom } for pid=20828
exe=/bin/su name=7 dev= ino=9 scontext=user_u:user_r:user_t
tcontext=user_u:object_r:user_devpts_t tclass=chr_file
audit(1079073345.080:0): avc: denied { relabelto } for pid=20828
exe=/bin/su name=7 dev= ino=9 scontext=user_u:user_r:user_t
tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
audit(1079073345.080:0): avc: denied { write } for pid=20828
exe=/bin/su name=exec dev= ino=1364983829 scontext=user_u:user_r:user_t
tcontext=user_u:user_r:user_t tclass=file
audit(1079073345.080:0): avc: denied { setexec } for pid=20828
exe=/bin/su scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t
tclass=process
audit(1079073345.082:0): avc: denied { setuid } for pid=20829
exe=/bin/su capability=7 scontext=user_u:user_r:user_t
tcontext=user_u:user_r:user_t tclass=capability
audit(1079073345.083:0): avc: denied { transition } for pid=20829
exe=/bin/su path=/bin/bash dev=hda2 ino=3662881
scontext=user_u:user_r:user_t tcontext=root:sysadm_r:sysadm_t tclass=process
audit(1079073345.083:0): avc: denied { siginh } for pid=20829
exe=/bin/bash scontext=user_u:user_r:user_t
tcontext=root:sysadm_r:sysadm_t tclass=process
audit(1079073345.084:0): avc: denied { rlimitinh } for pid=20829
exe=/bin/bash scontext=user_u:user_r:user_t
tcontext=root:sysadm_r:sysadm_t tclass=process
audit(1079073345.084:0): avc: denied { noatsecure } for pid=20829
exe=/bin/bash scontext=user_u:user_r:user_t
tcontext=root:sysadm_r:sysadm_t tclass=process
--
Aleksey Nogin
Home Page: http://nogin.org/
E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907
More information about the fedora-selinux-list
mailing list