[sudo-workers] question on "Answer" re: AIX RBAC in sudo FAQ
michael at felt.demon.nl
Wed May 3 11:47:59 MDT 2017
On 02/05/2017 21:13, Todd C. Miller wrote:
> On Tue, 02 May 2017 20:41:52 +0200, Michael Felt wrote:
>> In closing: the FAQ says:
>> innateprivs =
>> What is extra in the FAQ is:
>> What is missing is: PV_NET_PORT,PV_NET_CNTL and a 'new' PV - PV_SU_UID
>> (to get past the test for "sudo: /opt/bin/sudo must be owned by uid 0
>> and have the setuid bit set".
> Thanks for doing the research and testing on this.
Not done yet. Just built 1.8.20rc2 - and all files will be owned by
bin:bin (my default), and no suid set anywhere.
Manually, I shall set sudo to r-x------ so that RBAC is needed to even
execute the application (my previous start would do that at least, but
then lack of priv. will stop the show.
As I do not wish to bore, or overload the list - I'll wait until I have
more to tell.
> I believe
> PV_FS_CHOWN is required for sudoedit and when the timestamp file
> owner is not root.
> Have you tried running sudo with log_output enabled in sudoers?
>> re: the extra - PV_PROC_PRIO - in any case - is needed by something I
>> have not 'used' yet I expect (a plugin?).
> Yes, sudo can call setpriority() which will require PV_PROC_PRIO.
>> Does the 'request' for network control and to open a 'restricted' port
>> (<1024) sound right?
> My guess is that this required by the code that enumerates the
> network interfaces on the system, though perhaps it could be related
> to DNS.
You are the expert - I am just the messenger.
> - todd
More information about the sudo-workers