[sudo-workers] question on "Answer" re: AIX RBAC in sudo FAQ

Michael Felt michael at felt.demon.nl
Wed May 3 11:47:59 MDT 2017

On 02/05/2017 21:13, Todd C. Miller wrote:
> On Tue, 02 May 2017 20:41:52 +0200, Michael Felt wrote:
>> In closing: the FAQ says:
>>          innateprivs =
>> What is extra in the FAQ is:
>> What is missing is:   PV_NET_PORT,PV_NET_CNTL and a 'new' PV - PV_SU_UID
>> (to get past the test for "sudo: /opt/bin/sudo must be owned by uid 0
>> and have the setuid bit set".
> Thanks for doing the research and testing on this.
Not done yet. Just built 1.8.20rc2 - and all files will be owned by 
bin:bin (my default), and no suid set anywhere.
Manually, I shall set sudo to r-x------ so that RBAC is needed to even 
execute the application (my previous start would do that at least, but 
then lack of priv. will stop the show.

As I do not wish to bore, or overload the list - I'll wait until I have 
more to tell.

> I believe
> PV_FS_CHOWN is required for sudoedit and when the timestamp file
> owner is not root.
> Have you tried running sudo with log_output enabled in sudoers?
>> re: the extra - PV_PROC_PRIO - in any case - is needed by something I
>> have not 'used' yet I expect (a plugin?).
> Yes, sudo can call setpriority() which will require PV_PROC_PRIO.
>> Does the 'request' for network control and to open a 'restricted' port
>> (<1024) sound right?
> My guess is that this required by the code that enumerates the
> network interfaces on the system, though perhaps it could be related
> to DNS.
You are the expert - I am just the messenger.
>   - todd

More information about the sudo-workers mailing list