1 |
Hi, |
2 |
|
3 |
On Sun, Jun 10, 2007 at 06:47:38PM +0200, Krzysztof Kozłowski wrote: |
4 |
> Petre Rodan wrote: |
5 |
> > any reason why you don't `newrole -r sysadm_r; su -` ? |
6 |
> Thanks for reply. "newrole" helped for root commands but not for sudo. Maybe |
7 |
> it is problem only with sudo. |
8 |
> $ newrole -r sysadm_r |
9 |
> $ id -Z |
10 |
> staff_u:sysadm_r:sysadm_t |
11 |
> $ sudo vi /etc/fstab |
12 |
> Jun 10 18:44:25 bambo audit(1181493865.029:1274): avc: denied { write } for |
13 |
> pid=30018 comm="vi" name="fstab" dev=sda5 ino=52674 |
14 |
> scontext=staff_u:sysadm_r:sysadm_sudo_t tcontext=system_u:object_r:etc_t |
15 |
> tclass=file |
16 |
> Jun 10 18:44:25 bambo audit(1181493865.029:1275): avc: denied { write } for |
17 |
> pid=30018 comm="vi" name="etc" dev=sda5 ino=52209 |
18 |
> scontext=staff_u:sysadm_r:sysadm_sudo_t tcontext=system_u:object_r:etc_t |
19 |
> tclass=dir |
20 |
|
21 |
looking at the policy, only the reading of etc files is allowed to sysadm_sudo_t. |
22 |
|
23 |
I asked why you're not using 'su -' for two reasons |
24 |
|
25 |
- you're opening up a pandora's box here because I'm sure one can be very imaginative of what can be run thru sudo and not be allowed by the policy |
26 |
- a misconfigured or broken sudo greatly weakens the security of a system by possibly allowing privilege escalation, so why even install it? |
27 |
|
28 |
bye, |
29 |
peter |
30 |
|
31 |
|
32 |
-- |
33 |
petre rodan |
34 |
<kaiowas@g.o> |
35 |
Developer, |
36 |
Hardened Gentoo Linux |