[sudo-workers] question on "Answer" re: AIX RBAC in sudo FAQ
Todd C. Miller
Todd.Miller at courtesan.com
Tue May 2 13:13:35 MDT 2017
On Tue, 02 May 2017 20:41:52 +0200, Michael Felt wrote:
> In closing: the FAQ says:
>
> innateprivs =
> PV_DAC_GID,PV_DAC_O,PV_DAC_R,PV_DAC_UID,PV_DAC_W,PV_DAC_X,\
> PV_FS_CHOWN,PV_PROC_ENV,PV_PROC_PRIO,PV_PROC_RAC
>
> What is extra in the FAQ is:
> PV_DAC_O,PV_DAC_W,PV_FS_CHOWN,PV_PROC_ENV,PV_PROC_PRIO,PV_PROC_RAC
>
> What is missing is: PV_NET_PORT,PV_NET_CNTL and a 'new' PV - PV_SU_UID
> (to get past the test for "sudo: /opt/bin/sudo must be owned by uid 0
> and have the setuid bit set".
Thanks for doing the research and testing on this. I believe
PV_FS_CHOWN is required for sudoedit and when the timestamp file
owner is not root.
Have you tried running sudo with log_output enabled in sudoers?
> re: the extra - PV_PROC_PRIO - in any case - is needed by something I
> have not 'used' yet I expect (a plugin?).
Yes, sudo can call setpriority() which will require PV_PROC_PRIO.
> Does the 'request' for network control and to open a 'restricted' port
> (<1024) sound right?
My guess is that this required by the code that enumerates the
network interfaces on the system, though perhaps it could be related
to DNS.
- todd
More information about the sudo-workers
mailing list