[sudo-workers] question on "Answer" re: AIX RBAC in sudo FAQ

Todd C. Miller Todd.Miller at courtesan.com
Mon May 1 10:33:21 MDT 2017

On Mon, 01 May 2017 13:15:16 +0200, Michael Felt wrote:

> I am curious why PV_DAC_{ROX} are needed - the _UID and _GID seem
> clear enough.

This was needed for sudo to be able to access some of its own files
that are root-owned.

> Also, unsure on why:
> PV_FS_CHOWN is needed (wouldn't that be handled by "sudo chown"?)

Sudo itself may use the chown system call to set the owner on certain
files it creates such as the time stamp files and I/O log files.

> PV_PROV_PRIO (why not "sudo nice"?)

The sudo plugin API allows the policy plugin to specify the priority
of the command to be run.  The sudoers plugin does not currently
implement this.

> And, lastly - why try to be specific - when sudo is still elevating
> the command requested to 'root'. Instead, the options:
>                euid
>                     Specifies the effective user ID to assume when the comman
> d is run.
>                egid
>                     Specifies the effective group ID to assume when the comma
> nd is run.
> Could be used rather than 'innateprivs'.

Because sudo can run commands are more than just root.

All that being said, I don't currently have access to an AIX machine
where RBAC is configured so I'm unable to test sudo in that
environment.  Someone had tried to get sudo working in a VIO with
RBAC but never succeeded.  There is some info about this in

 - todd

More information about the sudo-workers mailing list