From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [patch 1/1] sudo: Fixes for sudo, handle /var/db/sudo
Date: Mon, 21 Feb 2011 09:02:22 -0500 [thread overview]
Message-ID: <4D62706E.9090801@redhat.com> (raw)
In-Reply-To: <1298092089.3101.51.camel@tesla.lan>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/19/2011 12:08 AM, Guido Trentalancia wrote:
> Hello Miroslav !
>
> On Fri, 18/02/2011 at 17.15 +0000, Miroslav Grepl wrote:
>> http://mgrepl.fedorapeople.org/F15/admin_sudo.patch
>>
>> * Allow sudo to send signals to any domains the user could have
>> transitioned to.
>> * Handle /var/db/sudo
>> * Allow users to run executables in /tmp or ~/
>
> To the best of my knowledge, the first part of the last change is
> something really bad from a security point of view.
>
> System administrators put much effort to avoid that (such as
> mounting /tmp with noexec, nosuid options) !
>
> A legitimate user does not need to store his/her executables in /tmp, as
> he/she has at least its own home directory available for that (and if
> he/she cannot write there, then he/she is probably over quota).
>
> /tmp just "potentially provides storage space for malicious
> executables" (quoted from paragraph 2.2.1.3 of NSA public document
> "Guide to the Secure Configuration of Red Hat Enterprise Linux 5"
> Revision 4, but any decent web search engine would easily provide you
> with tons of pages relative to the cries of those whom have allowed that
> sort of thing to happen on their systems).
>
> Regards,
>
> Guido
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
+ userdom_domtrans_user_tmp($1_sudo_t, $3)
Says to run user_tmp_t files as staff_t, Which is the equivalent of if
the staff_t had executed the file directly.
I guess if execution of homedir/tmp dir was turned off this could be
seen as a priv escalation.
staff_t is not allowed to execute user_tmp_t, but it can if it goes
through sudo.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1icG4ACgkQrlYvE4MpobO/SgCcCeagx2SuBd2InuVNk25YXt4b
agEAoJOxwZz4QbXFkUrUGjvovKVFutO0
=bNTO
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2011-02-21 14:02 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-18 17:15 [refpolicy] [patch 1/1] sudo: Fixes for sudo, handle /var/db/sudo Miroslav Grepl
2011-02-19 5:08 ` Guido Trentalancia
2011-02-21 14:02 ` Daniel J Walsh [this message]
2011-02-21 14:07 ` Dominick Grift
2011-02-21 16:59 ` Daniel J Walsh
2011-02-21 17:40 ` Dominick Grift
2011-02-21 17:42 ` Dominick Grift
2011-02-21 19:23 ` Daniel J Walsh
2011-02-21 19:24 ` Dominick Grift
2011-02-19 10:05 ` Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D62706E.9090801@redhat.com \
--to=dwalsh@redhat.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.