[sudo-workers] question on "Answer" re: AIX RBAC in sudo FAQ

Todd C. Miller Todd.Miller at courtesan.com
Tue May 2 13:13:35 MDT 2017

On Tue, 02 May 2017 20:41:52 +0200, Michael Felt wrote:

> In closing: the FAQ says:
>         innateprivs = 
> What is extra in the FAQ is: 
> What is missing is:   PV_NET_PORT,PV_NET_CNTL and a 'new' PV - PV_SU_UID 
> (to get past the test for "sudo: /opt/bin/sudo must be owned by uid 0 
> and have the setuid bit set".

Thanks for doing the research and testing on this.  I believe
PV_FS_CHOWN is required for sudoedit and when the timestamp file
owner is not root.

Have you tried running sudo with log_output enabled in sudoers?

> re: the extra - PV_PROC_PRIO - in any case - is needed by something I 
> have not 'used' yet I expect (a plugin?).

Yes, sudo can call setpriority() which will require PV_PROC_PRIO.

> Does the 'request' for network control and to open a 'restricted' port 
> (<1024) sound right?

My guess is that this required by the code that enumerates the
network interfaces on the system, though perhaps it could be related
to DNS.

 - todd

More information about the sudo-workers mailing list