| 1 |
Hi, |
| 2 |
|
| 3 |
On Sun, Jun 10, 2007 at 06:47:38PM +0200, Krzysztof Kozłowski wrote: |
| 4 |
> Petre Rodan wrote: |
| 5 |
> > any reason why you don't `newrole -r sysadm_r; su -` ? |
| 6 |
> Thanks for reply. "newrole" helped for root commands but not for sudo. Maybe |
| 7 |
> it is problem only with sudo. |
| 8 |
> $ newrole -r sysadm_r |
| 9 |
> $ id -Z |
| 10 |
> staff_u:sysadm_r:sysadm_t |
| 11 |
> $ sudo vi /etc/fstab |
| 12 |
> Jun 10 18:44:25 bambo audit(1181493865.029:1274): avc: denied { write } for |
| 13 |
> pid=30018 comm="vi" name="fstab" dev=sda5 ino=52674 |
| 14 |
> scontext=staff_u:sysadm_r:sysadm_sudo_t tcontext=system_u:object_r:etc_t |
| 15 |
> tclass=file |
| 16 |
> Jun 10 18:44:25 bambo audit(1181493865.029:1275): avc: denied { write } for |
| 17 |
> pid=30018 comm="vi" name="etc" dev=sda5 ino=52209 |
| 18 |
> scontext=staff_u:sysadm_r:sysadm_sudo_t tcontext=system_u:object_r:etc_t |
| 19 |
> tclass=dir |
| 20 |
|
| 21 |
looking at the policy, only the reading of etc files is allowed to sysadm_sudo_t. |
| 22 |
|
| 23 |
I asked why you're not using 'su -' for two reasons |
| 24 |
|
| 25 |
- you're opening up a pandora's box here because I'm sure one can be very imaginative of what can be run thru sudo and not be allowed by the policy |
| 26 |
- a misconfigured or broken sudo greatly weakens the security of a system by possibly allowing privilege escalation, so why even install it? |
| 27 |
|
| 28 |
bye, |
| 29 |
peter |
| 30 |
|
| 31 |
|
| 32 |
-- |
| 33 |
petre rodan |
| 34 |
<kaiowas@g.o> |
| 35 |
Developer, |
| 36 |
Hardened Gentoo Linux |
Archives