1 |
hi, |
2 |
|
3 |
On Sun, Jun 10, 2007 at 07:41:16PM -0500, Brant Williams wrote: |
4 |
> |
5 |
> Correct me if I'm wrong, but wouldn't one of the main points of running |
6 |
> SELinux be to get away from the "root" user and su/sudo/setuid/setgid? |
7 |
> I'd think one could edit /etc/fstab if the role permitted it... |
8 |
|
9 |
you still need uid=0 in order to modify a file owned by root. reaching uid=0 was the subject our discussion. |
10 |
|
11 |
> why not |
12 |
> configure a role to allow editing of [certain] system files? |
13 |
|
14 |
yup, let's call it sysadm_r. |
15 |
|
16 |
|
17 |
bye, |
18 |
peter |
19 |
|
20 |
> On Sun, 10 Jun 2007, Krzysztof Koz�~Bowski wrote: |
21 |
> |
22 |
> > Petre Rodan wrote: |
23 |
> > > - you're opening up a pandora's box here because I'm sure one can be very imaginative of what can be run thru sudo and not be allowed by the policy |
24 |
> > So you are saying that with "su" the sysadmin cannot run all possible |
25 |
> > commands? For example - I have to edit /etc/fstab. So I have two choices: |
26 |
> > $ newrole -r sysadm |
27 |
> > $ su - |
28 |
> > # vi /etc/fstab |
29 |
> > (or "$ su - -c 'vi /etc/fstab'") |
30 |
> > or |
31 |
> > $ newrole -r sysadm // or something else |
32 |
> > $ sudo vi /etc/fstab |
33 |
> > |
34 |
> > And the first choice is better from security point of view? For me it looks |
35 |
> > like that policies for "su" and "sudo" will be similar in such examples. Am I |
36 |
> > wrong? Is there another /better/ way for running one command as root? |
37 |
> > |
38 |
> > |
39 |
> > > - a misconfigured or broken sudo greatly weakens the security of a system by possibly allowing privilege escalation, so why even install it? |
40 |
> > One simple reason is that it is an easy way to log root commands (when of |
41 |
> > course the sysadmin wants it to be logged, e.g. he don't type "sudo bash" or |
42 |
> > something). |
43 |
> > |
44 |
> > |
45 |
> > |
46 |
> > |
47 |
> > -- |
48 |
> > Krzysztof Kozłowski |
49 |
> > http://www.kozik.net.pl |
50 |
> > |
51 |
> > |
52 |
> > -- |
53 |
> > gentoo-hardened@g.o mailing list |
54 |
> > |
55 |
> > |
56 |
|
57 |
|
58 |
-- |
59 |
petre rodan |
60 |
<kaiowas@g.o> |
61 |
Developer, |
62 |
Hardened Gentoo Linux |