How do I make sudo "trusted"?
Jeff Johnson
n3npq at nc.rr.com
Thu Mar 11 21:17:53 UTC 2004
Stephen Smalley wrote:
>On Thu, 2004-03-11 at 10:19, Aleksey Nogin wrote:
>
>
>>Contrast the following two:
>>
>>% su -c id
>>Password:
>>uid=0(root) gid=0(root)
>>groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
>>context=root:sysadm_r:sysadm_t
>>
>>% sudo id
>>Password:
>>uid=0(root) gid=0(root)
>>groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
>>context=user_u:user_r:user_t
>>
>>How do I change my local policy so have sudo grant the same sysadm
>>permissions as su does? Is it possible to make it tunable? Or is this
>>something that is very dangerous and should not be done? Thanks!
>>
>>
>
>sudo authenticates the current user, not the target user, so having it
>change the SELinux user identity would be dangerous. It can change
>roles (if the current user identity is authorized for the role) via the
>-r option. Hence, if you add yourself to policy/users and authorize
>yourself for staff_r and sysadm_r and reload your policy, then you
>should be able to do sudo -r sysadm_r <command>.
>
>In order to have sudo safely change the SELinux user identity (to root),
>you would need another mechanism for specifying what roles/domains are
>permitted to the calling user, e.g. new fields in /etc/sudoers. Even
>then, you still need to start from staff_r in order to reach sysadm_r;
>the policy doesn't allow user_r to transition to sysadm_r (if SELinux is
>in enforcing mode).
>
>
>
All true.
But there's always
sudo su -
73 de Jeff
More information about the fedora-selinux-list
mailing list