[sudo-users] sudo in /var/run
dac.override at gmail.com
Thu Oct 30 14:10:05 MDT 2014
I am not sure if this applies to only my distro or, if it is a upstream feature but in my distro sudo maintains content in /var/run
Whoever runs sudo first gets his or her MAC-security identifiers associated with /var/run/sudo/.*
This causes issues when those MAC-security identifiers are used to govern access
I suppose there is a good reason for why /var/run/sudo and /var/run/sudo/ts get created the way that they do.
Why can those directories not just be installed, or maintained by systemd-tmpfiles. This would ensure that those directories would be associated with the appropriate MAC-security identifiers (namely the ones associated with the system, and not the ones associated with users)
Is using /var/run/user/$UID/sudo, not a viable option? This would ensure UID-based seperation, and this would solve the issue without requiring any other modifications, since the location is limited to only that user
Each user running sudo would get its own /var/run/user/$UID/sudo directory with its own MAC security identifiers
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 648 bytes
Desc: not available
More information about the sudo-users