[sudo-workers] question on "Answer" re: AIX RBAC in sudo FAQ
Michael Felt
michael at felt.demon.nl
Tue May 2 12:41:52 MDT 2017
On 01/05/2017 20:02, Michael Felt wrote:
> If I understand correctly - normally, sudo is setup using "chmod u+s"
>
> An RBAC way to do the same is:
> setsecattr -c euid=0 accessauths=<an_authorization || ALLOW_KEYWORD
> (e.g., ALLOW_ALL)> sec_flags=EFS /path/to/sudo
>
> Ideally, rather than using the keyword ALLOW_ALL an authorization
> would be made and assigned to a role.
>
> e.g., mkauth sudo; mkauth sudo.users; mkauth sudo.admin; mkauth
> sudo.grp.wheel # the last are extra "incase" more granularity is
> needed/desired
> setkst # update kernel security table
>
> Then a role:
> mkrole authorizations=sudo dfltmsg="sudoer role" sudoer
> setkst
>
> The assign a role to a user
> chuser roles=sudoer michael
>
> setsecattr -c euid=0 accessauths=sudo sec_flags=EFS /usr/local/bin/sudo
> setkst
>
> This is all from documentation - I'll test it.
After having done something like above - still was not working - obviously.
So, going into 'trace mode':
1st, as root: upgrade the users shell:
root at x068:[/]setsecattr -p iprivs=PV_ROOT 4784380
michael at x068:[/home/michael]echo $$; id
4784380
uid=203(michael) gid=1(staff)
michael at x068:[/home/michael]tracepriv lssecattr -p $$
4784380 eprivs= mprivs= iprivs=PV_ROOT lprivs=PV_ROOT uprivs=
4259884: Used privileges for /usr/sbin/lssecattr:
PV_AZ_CHECK
michael at x068:[/home/michael]tracepriv sudo ls
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Password:
michael is not in the sudoers file. This incident will be reported.
6094946: Used privileges for /opt/bin/sudo:
PV_DAC_O PV_DAC_UID
PV_DAC_GID PV_FS_CHOWN
PV_NET_CNTL PV_NET_PORT
So, as a starting point the privileges listed above are needed.
michael at x068:[/home/michael]ls -l /opt/bin/sudo
-rwsr-xr-x 1 root bin 227616 Mar 21 17:09 /opt/bin/sudo
Not "oops", yet.
michael at x068:[/home/michael]chmod u-s /opt/bin/sudo
michael at x068:[/home/michael]ls -l /opt/bin/sudo
-rwxr-xr-x 1 root bin 227616 Mar 21 17:09 /opt/bin/sudo
michael at x068:[/home/michael]
michael at x068:[/home/michael]tracepriv sudo ls
sudo: /opt/bin/sudo must be owned by uid 0 and have the setuid bit set
6094952: Used privileges for /opt/bin/sudo:
PV_DAC_R
Hmm, a new 'problem' - that I guess the FAQ addressed, or tried to.
Next attempt: prime the shell with:
root at x068:[/]setsecattr -p iprivs=PV_ROOT,PV_SU_UID 4784380
michael at x068:[/home/michael]tracepriv sudo ls
sudo: sudoers specifies that root is not allowed to sudo
4259906: Used privileges for /opt/bin/sudo:
PV_DAC_R PV_DAC_X
PV_DAC_UID PV_DAC_GID
PV_SU_UID PV_NET_CNTL
PV_NET_PORT
So, sort of stuck - if I use the option --disable-root-sudo - so I'll
remove it.
In closing: the FAQ says:
innateprivs =
PV_DAC_GID,PV_DAC_O,PV_DAC_R,PV_DAC_UID,PV_DAC_W,PV_DAC_X,\
PV_FS_CHOWN,PV_PROC_ENV,PV_PROC_PRIO,PV_PROC_RAC
What is extra in the FAQ is:
PV_DAC_O,PV_DAC_W,PV_FS_CHOWN,PV_PROC_ENV,PV_PROC_PRIO,PV_PROC_RAC
What is missing is: PV_NET_PORT,PV_NET_CNTL and a 'new' PV - PV_SU_UID
(to get past the test for "sudo: /opt/bin/sudo must be owned by uid 0
and have the setuid bit set".
re: the extra - PV_PROC_PRIO - in any case - is needed by something I
have not 'used' yet I expect (a plugin?).
Does the 'request' for network control and to open a 'restricted' port
(<1024) sound right?
Michael
More information about the sudo-workers
mailing list