selinux patch breaks sudo NOEXEC capability
Gene Czarcinski
gene at czarc.net
Fri Jan 20 15:26:28 UTC 2006
This problem has been reported as
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178429 against
fc5test1/development although it exists in FC4 also (the sudo NOEXEC
capability was not available in FC3).
In sudo 1.6.8p8 and later (maybe a bit earlier too) adds a NOEXEC option. The
NOEXEC option is an important security feature since it suppresses a user's
ability to "shell out" of a program such as vi to get general root access.
When NOEXEC is working, you can use "sudo vi xxx" to edit file xxx but you
cannot shell out (e.g., ":!bash") from vi.
If the selinux patch to the sudo package is applied, then you get the message:
/usr/sbin/sesh: Error execing /bin/vi: Permission denied
and you cannot run vi (or anything) under sudo (when "Defaults noexec" is
specified in the /etc/sudoers file).
A very quick look at the code says that this will not be easy to fix since
sudo implements NOEXEC by dummying out the "exec" functions for the program
run by sudo. With the selinux patch applied, sudo invokes /usr/sbin/sesh
before invoking your program and sesh is using the dummied-out exec function.
Gene
More information about the fedora-selinux-list
mailing list