CGI script calling sudo

Matthew Miller mattdm at mattdm.org
Mon Jul 17 19:15:23 UTC 2006


On Mon, Jul 17, 2006 at 09:05:00PM +0200, Jochen Wiedmann wrote:
> Hi,
> I have a CGI script with the following permissions:
>    -rwxr-xr-x  root     root
> root:object_r:httpd_unconfined_script_exec_t  mpver.cgi
> This script is internally invoking "sudo". Sudo itself is a wrapper for
>    -rwxr-xr-x  root     root     system_u:object_r:shell_exec_t
> /usr/sbin/sesh
> This invocation fails, however:
>    Jul 17 20:51:35 fibudbserver kernel: audit(1153162295.966:6): avc:
>    denied  { transition } for  pid=20441 comm="sudo" name="sesh"
>    dev=sda1 ino=235570 scontext=user_u:system_r:httpd_unconfined_script_t
>    tcontext=root:system_r:unconfined_t tclass=process
> What do I need to change?

Can you accomplish your task in some other way? This seems horribly
dangerous.

-- 
Matthew Miller           mattdm at mattdm.org          <http://mattdm.org/>
Boston University Linux      ------>              <http://linux.bu.edu/>




More information about the fedora-selinux-list mailing list