| 1 |
hi, |
| 2 |
|
| 3 |
On Sun, Jun 10, 2007 at 08:03:25PM +0200, Krzysztof Kozłowski wrote: |
| 4 |
> Petre Rodan wrote: |
| 5 |
> > - you're opening up a pandora's box here because I'm sure one can be very imaginative of what can be run thru sudo and not be allowed by the policy |
| 6 |
> So you are saying that with "su" the sysadmin cannot run all possible |
| 7 |
> commands? |
| 8 |
|
| 9 |
with "sudo", not "su". once sysadm_t executes sudo, the domain becomes sysamd_sudo_t as you seen in the avc denies. it will not stay sysadm_t, so it will have a different (lower) set of privileges. what should and should not be allowed to *_sudo_t is a per-system decision, just as /etc/sudoers. |
| 10 |
once a shell is spawned I think things will change, but I bet you don't want someone to just "sudo bash". |
| 11 |
|
| 12 |
> For example - I have to edit /etc/fstab. So I have two choices: |
| 13 |
> $ newrole -r sysadm |
| 14 |
> $ su - |
| 15 |
> # vi /etc/fstab |
| 16 |
> (or "$ su - -c 'vi /etc/fstab'") |
| 17 |
> or |
| 18 |
> $ newrole -r sysadm // or something else |
| 19 |
> $ sudo vi /etc/fstab |
| 20 |
> |
| 21 |
> And the first choice is better from security point of view? |
| 22 |
|
| 23 |
IMHO, yes. |
| 24 |
|
| 25 |
> For me it looks like that policies for "su" and "sudo" will be similar in such examples. Am I |
| 26 |
> wrong? |
| 27 |
|
| 28 |
policies are somewhat similar, yes. both policies allow the derived domain to revert to the calling domain by executing a shell. but this is default behaviour for "su", and unwanted side-effect for "sudo". |
| 29 |
|
| 30 |
> Is there another /better/ way for running one command as root? |
| 31 |
|
| 32 |
personally I'm using a password storing system where I can simply run something like "$server $command" from my laptop, and a ssh will be run towards $server, "newrole" and "su" receive their passwords via expect and the optional $command is run on that server. so the whole "su"-ing can be very easy, you don't even need to keep the passwords in mind :) |
| 33 |
|
| 34 |
now you made me think of what would happen if you allow vi to be executed via sudoers, and you spawn a shell via vi :)). too bad I don't use that abomin^Wsudo. |
| 35 |
|
| 36 |
bye, |
| 37 |
peter |
| 38 |
|
| 39 |
-- |
| 40 |
petre rodan |
| 41 |
<kaiowas@g.o> |
| 42 |
Developer, |
| 43 |
Hardened Gentoo Linux |
Archives