Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Petre Rodan <kaiowas@g.o>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] SELinux - Root and sudo commands denied
Date: Mon, 11 Jun 2007 06:13:58
Message-Id: 20070611061205.GA6823@peter.simplex.ro
In Reply to: Re: [gentoo-hardened] SELinux - Root and sudo commands denied by Brant Williams
1 hi,
2
3 On Sun, Jun 10, 2007 at 07:41:16PM -0500, Brant Williams wrote:
4 >
5 > Correct me if I'm wrong, but wouldn't one of the main points of running
6 > SELinux be to get away from the "root" user and su/sudo/setuid/setgid?
7 > I'd think one could edit /etc/fstab if the role permitted it...
8
9 you still need uid=0 in order to modify a file owned by root. reaching uid=0 was the subject our discussion.
10
11 > why not
12 > configure a role to allow editing of [certain] system files?
13
14 yup, let's call it sysadm_r.
15
16
17 bye,
18 peter
19
20 > On Sun, 10 Jun 2007, Krzysztof Koz�~Bowski wrote:
21 >
22 > > Petre Rodan wrote:
23 > > > - you're opening up a pandora's box here because I'm sure one can be very imaginative of what can be run thru sudo and not be allowed by the policy
24 > > So you are saying that with "su" the sysadmin cannot run all possible
25 > > commands? For example - I have to edit /etc/fstab. So I have two choices:
26 > > $ newrole -r sysadm
27 > > $ su -
28 > > # vi /etc/fstab
29 > > (or "$ su - -c 'vi /etc/fstab'")
30 > > or
31 > > $ newrole -r sysadm // or something else
32 > > $ sudo vi /etc/fstab
33 > >
34 > > And the first choice is better from security point of view? For me it looks
35 > > like that policies for "su" and "sudo" will be similar in such examples. Am I
36 > > wrong? Is there another /better/ way for running one command as root?
37 > >
38 > >
39 > > > - a misconfigured or broken sudo greatly weakens the security of a system by possibly allowing privilege escalation, so why even install it?
40 > > One simple reason is that it is an easy way to log root commands (when of
41 > > course the sysadmin wants it to be logged, e.g. he don't type "sudo bash" or
42 > > something).
43 > >
44 > >
45 > >
46 > >
47 > > --
48 > > Krzysztof Kozłowski
49 > > http://www.kozik.net.pl
50 > >
51 > >
52 > > --
53 > > gentoo-hardened@g.o mailing list
54 > >
55 > >
56
57
58 --
59 petre rodan
60 <kaiowas@g.o>
61 Developer,
62 Hardened Gentoo Linux
Report Message
Find on MARC Find on Google Groups