[sudo-workers] Why, or better when - is exec() or fork() called?
Michael Felt
michael at felt.demon.nl
Mon Oct 9 03:37:16 MDT 2017
* I have the impression that exec() is preferred on fork(). Why not
always fork()?
* Using AIX RBAC - I see a difference in behavior when I call:
sudo ksh
compared to
sudo lssecattr -p $$
e.g.,:
root at x068:[/]su - michael
michael at x068:[/home/michael]swrole sudoer
michael's Password:
michael at x068:[/home/michael]sudo lssecattr -p $$
Password:
sudo: unable to execute /usr/sbin/lssecattr: The file access permissions
do not allow the specified action.
michael at x068:[/home/michael]sudo ksh
michael at x068:[/home/michael]lssecattr -p $$
10616912 eprivs=PV_ROOT mprivs=PV_ROOT iprivs=PV_ROOT lprivs=PV_ROOT
uprivs=PV_DAC_R,PV_DAC_W
michael at x068:[/home/michael]exit
So, it seems that the first command (sudo lssecattr -p $$) is exec()ed,
because it does not gain the privs (via inheritance) needed to execute,
while "sudo ksh" is fork()ed - as it has gained the elevated privs - and
can now execute "lssecattr -p $$"
More info:
root at x068:[/]lssecattr -c /usr/bin/ksh
1420-012 "/usr/bin/ksh" does not exist in the privileged command database.
root at x068:[/]lssecattr -c /usr/sbin/lssecattr
/usr/sbin/lssecattr
accessauths=aix.security.cmd.list,aix.security.device.list,aix.security.file.list,aix.security.proc.list,aix.security.dobject.list
innateprivs=PV_DAC_R,PV_DAC_X
authprivs=aix.security.proc.list=PV_PROC_PRIV+PV_AZ_READ secflags=FSF_EPS
root at x068:[/]
root at x068:[/]rolerpt -c sudoer
role:
sudoer
commands:
/opt/bin/sudo
oot at x068:[/]lssecattr -c /opt/bin/sudo
/opt/bin/sudo accessauths=sudo innateprivs=PV_DAC_GID,PV_DAC_R
inheritprivs=PV_ROOT secflags=FSF_EPS
root at x068:[/]ls -l /opt/bin/sudo
-rwsr-xr-x 1 bin bin 431763 Sep 25 20:42 /opt/bin/sudo
Basically, - my preferred setup needs fork() - ALWAYS - so sudo can add
privs for it's forked processes (and it will get an added PV so that it
can do that using *raise() and *lower() calls. This way, the sudo
executable will always have a minimum of "privs" active - and the
children will only get - what they need. This can be used as a way to
use sudoers grammar, rather than "setsecattr -c", mkauth, mkrole and
setkst commands aka "traditional" AIX RBAC administration - to have
"role-based" access to privileged commands.
More information about the sudo-workers
mailing list