CGI script calling sudo
Matthew Miller
mattdm at mattdm.org
Mon Jul 17 19:15:23 UTC 2006
On Mon, Jul 17, 2006 at 09:05:00PM +0200, Jochen Wiedmann wrote:
> Hi,
> I have a CGI script with the following permissions:
> -rwxr-xr-x root root
> root:object_r:httpd_unconfined_script_exec_t mpver.cgi
> This script is internally invoking "sudo". Sudo itself is a wrapper for
> -rwxr-xr-x root root system_u:object_r:shell_exec_t
> /usr/sbin/sesh
> This invocation fails, however:
> Jul 17 20:51:35 fibudbserver kernel: audit(1153162295.966:6): avc:
> denied { transition } for pid=20441 comm="sudo" name="sesh"
> dev=sda1 ino=235570 scontext=user_u:system_r:httpd_unconfined_script_t
> tcontext=root:system_r:unconfined_t tclass=process
> What do I need to change?
Can you accomplish your task in some other way? This seems horribly
dangerous.
--
Matthew Miller mattdm at mattdm.org <http://mattdm.org/>
Boston University Linux ------> <http://linux.bu.edu/>
More information about the fedora-selinux-list
mailing list