[sudo-workers] question on "Answer" re: AIX RBAC in sudo FAQ
Michael Felt
michael at felt.demon.nl
Wed May 3 11:47:59 MDT 2017
On 02/05/2017 21:13, Todd C. Miller wrote:
> On Tue, 02 May 2017 20:41:52 +0200, Michael Felt wrote:
>
>> In closing: the FAQ says:
>>
>> innateprivs =
>> PV_DAC_GID,PV_DAC_O,PV_DAC_R,PV_DAC_UID,PV_DAC_W,PV_DAC_X,\
>> PV_FS_CHOWN,PV_PROC_ENV,PV_PROC_PRIO,PV_PROC_RAC
>>
>> What is extra in the FAQ is:
>> PV_DAC_O,PV_DAC_W,PV_FS_CHOWN,PV_PROC_ENV,PV_PROC_PRIO,PV_PROC_RAC
>>
>> What is missing is: PV_NET_PORT,PV_NET_CNTL and a 'new' PV - PV_SU_UID
>> (to get past the test for "sudo: /opt/bin/sudo must be owned by uid 0
>> and have the setuid bit set".
> Thanks for doing the research and testing on this.
Not done yet. Just built 1.8.20rc2 - and all files will be owned by
bin:bin (my default), and no suid set anywhere.
Manually, I shall set sudo to r-x------ so that RBAC is needed to even
execute the application (my previous start would do that at least, but
then lack of priv. will stop the show.
As I do not wish to bore, or overload the list - I'll wait until I have
more to tell.
> I believe
> PV_FS_CHOWN is required for sudoedit and when the timestamp file
> owner is not root.
> Have you tried running sudo with log_output enabled in sudoers?
>
>> re: the extra - PV_PROC_PRIO - in any case - is needed by something I
>> have not 'used' yet I expect (a plugin?).
> Yes, sudo can call setpriority() which will require PV_PROC_PRIO.
>
>> Does the 'request' for network control and to open a 'restricted' port
>> (<1024) sound right?
> My guess is that this required by the code that enumerates the
> network interfaces on the system, though perhaps it could be related
> to DNS.
You are the expert - I am just the messenger.
>
> - todd
More information about the sudo-workers
mailing list