1 |
hi, |
2 |
|
3 |
On Sun, Jun 10, 2007 at 08:03:25PM +0200, Krzysztof Kozłowski wrote: |
4 |
> Petre Rodan wrote: |
5 |
> > - you're opening up a pandora's box here because I'm sure one can be very imaginative of what can be run thru sudo and not be allowed by the policy |
6 |
> So you are saying that with "su" the sysadmin cannot run all possible |
7 |
> commands? |
8 |
|
9 |
with "sudo", not "su". once sysadm_t executes sudo, the domain becomes sysamd_sudo_t as you seen in the avc denies. it will not stay sysadm_t, so it will have a different (lower) set of privileges. what should and should not be allowed to *_sudo_t is a per-system decision, just as /etc/sudoers. |
10 |
once a shell is spawned I think things will change, but I bet you don't want someone to just "sudo bash". |
11 |
|
12 |
> For example - I have to edit /etc/fstab. So I have two choices: |
13 |
> $ newrole -r sysadm |
14 |
> $ su - |
15 |
> # vi /etc/fstab |
16 |
> (or "$ su - -c 'vi /etc/fstab'") |
17 |
> or |
18 |
> $ newrole -r sysadm // or something else |
19 |
> $ sudo vi /etc/fstab |
20 |
> |
21 |
> And the first choice is better from security point of view? |
22 |
|
23 |
IMHO, yes. |
24 |
|
25 |
> For me it looks like that policies for "su" and "sudo" will be similar in such examples. Am I |
26 |
> wrong? |
27 |
|
28 |
policies are somewhat similar, yes. both policies allow the derived domain to revert to the calling domain by executing a shell. but this is default behaviour for "su", and unwanted side-effect for "sudo". |
29 |
|
30 |
> Is there another /better/ way for running one command as root? |
31 |
|
32 |
personally I'm using a password storing system where I can simply run something like "$server $command" from my laptop, and a ssh will be run towards $server, "newrole" and "su" receive their passwords via expect and the optional $command is run on that server. so the whole "su"-ing can be very easy, you don't even need to keep the passwords in mind :) |
33 |
|
34 |
now you made me think of what would happen if you allow vi to be executed via sudoers, and you spawn a shell via vi :)). too bad I don't use that abomin^Wsudo. |
35 |
|
36 |
bye, |
37 |
peter |
38 |
|
39 |
-- |
40 |
petre rodan |
41 |
<kaiowas@g.o> |
42 |
Developer, |
43 |
Hardened Gentoo Linux |