How do I make sudo "trusted"?

Aleksey Nogin aleksey at nogin.org
Fri Mar 12 06:39:14 UTC 2004 

On 11.03.2004 07:36, Stephen Smalley wrote:

> sudo authenticates the current user, not the target user, 

Well, sudo + sudoers does authenticate the "I am somebody who can act on 
behalf of the target user", why is this insufficient?

> so having it change the SELinux user identity would be dangerous.

Even if explicitly permitted by sudoers?

> It can change
> roles (if the current user identity is authorized for the role) via the
> -r option.  Hence, if you add yourself to policy/users and authorize
> yourself for staff_r and sysadm_r and reload your policy, then you
> should be able to do sudo -r sysadm_r <command>.

Do you expect everybody who are used to doing things via sudo (a lot of 
places where more than one user has admin access have policies insisting 
on sudo - in particular because sudo will log everything) to be willing 
to figure this out? Why is this information (e.g. "user x is allowed to 
act as root when re-authenticated") has to be listed in _two_ separate 
places (sudoers and policies)?

> In order to have sudo safely change the SELinux user identity (to root),
> you would need another mechanism for specifying what roles/domains are
> permitted to the calling user, e.g. new fields in /etc/sudoers. 

That would be the best solution IMHO. Should I file a Bugzilla RFE?

> Even
> then, you still need to start from staff_r in order to reach sysadm_r;
> the policy doesn't allow user_r to transition to sysadm_r (if SELinux is
> in enforcing mode).

Not sure I understand what you are saying - it works with su, why can't 
it be made to work with sudo?

----

On 11.03.2004 13:17, Jeff Johnson wrote:

> All true.
> 
> But there's always
>    sudo su -

I wish it was that easy...

audit(1079073344.898:0): avc:  denied  { execute } for  pid=20828 
exe=/usr/bin/sudo name=su dev=hda2 ino=3662894 
scontext=user_u:user_r:sudo_t tcontext=system_u:object_r:su_exec_t 
tclass=file
audit(1079073344.898:0): avc:  denied  { entrypoint } for  pid=20828 
exe=/usr/bin/sudo path=/bin/su dev=hda2 ino=3662894 
scontext=user_u:user_r:user_t tcontext=system_u:object_r:su_exec_t 
tclass=file
audit(1079073344.898:0): avc:  denied  { read } for  pid=20828 
exe=/usr/bin/sudo path=/bin/su dev=hda2 ino=3662894 
scontext=user_u:user_r:sudo_t tcontext=system_u:object_r:su_exec_t 
tclass=file
audit(1079073344.930:0): avc:  denied  { search } for  pid=20828 
exe=/bin/su dev= ino=791 scontext=user_u:user_r:user_t 
tcontext=system_u:object_r:security_t tclass=dir
audit(1079073344.930:0): avc:  denied  { read write } for  pid=20828 
exe=/bin/su name=access dev= ino=6 scontext=user_u:user_r:user_t 
tcontext=system_u:object_r:security_t tclass=file
audit(1079073344.930:0): avc:  denied  { compute_av } for  pid=20828 
exe=/bin/su scontext=user_u:user_r:user_t 
tcontext=system_u:object_r:security_t tclass=security
audit(1079073344.935:0): avc:  denied  { read } for  pid=20828 
exe=/bin/su name=shadow dev=hda2 ino=229911 
scontext=user_u:user_r:user_t tcontext=system_u:object_r:shadow_t 
tclass=file
audit(1079073344.935:0): avc:  denied  { getattr } for  pid=20828 
exe=/bin/su path=/etc/shadow dev=hda2 ino=229911 
scontext=user_u:user_r:user_t tcontext=system_u:object_r:shadow_t 
tclass=file
audit(1079073345.026:0): avc:  denied  { compute_user } for  pid=20828 
exe=/bin/su scontext=user_u:user_r:user_t 
tcontext=system_u:object_r:security_t tclass=security
audit(1079073345.079:0): avc:  denied  { check_context } for  pid=20828 
exe=/bin/su scontext=user_u:user_r:user_t 
tcontext=system_u:object_r:security_t tclass=security
audit(1079073345.080:0): avc:  denied  { compute_relabel } for 
pid=20828 exe=/bin/su scontext=user_u:user_r:user_t 
tcontext=system_u:object_r:security_t tclass=security
audit(1079073345.080:0): avc:  denied  { relabelfrom } for  pid=20828 
exe=/bin/su name=7 dev= ino=9 scontext=user_u:user_r:user_t 
tcontext=user_u:object_r:user_devpts_t tclass=chr_file
audit(1079073345.080:0): avc:  denied  { relabelto } for  pid=20828 
exe=/bin/su name=7 dev= ino=9 scontext=user_u:user_r:user_t 
tcontext=root:object_r:sysadm_devpts_t tclass=chr_file
audit(1079073345.080:0): avc:  denied  { write } for  pid=20828 
exe=/bin/su name=exec dev= ino=1364983829 scontext=user_u:user_r:user_t 
tcontext=user_u:user_r:user_t tclass=file
audit(1079073345.080:0): avc:  denied  { setexec } for  pid=20828 
exe=/bin/su scontext=user_u:user_r:user_t tcontext=user_u:user_r:user_t 
tclass=process
audit(1079073345.082:0): avc:  denied  { setuid } for  pid=20829 
exe=/bin/su capability=7 scontext=user_u:user_r:user_t 
tcontext=user_u:user_r:user_t tclass=capability
audit(1079073345.083:0): avc:  denied  { transition } for  pid=20829 
exe=/bin/su path=/bin/bash dev=hda2 ino=3662881 
scontext=user_u:user_r:user_t tcontext=root:sysadm_r:sysadm_t tclass=process
audit(1079073345.083:0): avc:  denied  { siginh } for  pid=20829 
exe=/bin/bash scontext=user_u:user_r:user_t 
tcontext=root:sysadm_r:sysadm_t tclass=process
audit(1079073345.084:0): avc:  denied  { rlimitinh } for  pid=20829 
exe=/bin/bash scontext=user_u:user_r:user_t 
tcontext=root:sysadm_r:sysadm_t tclass=process
audit(1079073345.084:0): avc:  denied  { noatsecure } for  pid=20829 
exe=/bin/bash scontext=user_u:user_r:user_t 
tcontext=root:sysadm_r:sysadm_t tclass=process


-- 
Aleksey Nogin

Home Page: http://nogin.org/
E-Mail: nogin at cs.caltech.edu (office), aleksey at nogin.org (personal)
Office: Jorgensen 70, tel: (626) 395-2907

More information about the fedora-selinux-list mailing list