[sudo-workers] Why, or better when - is exec() or fork() called?

Michael Felt michael at felt.demon.nl
Mon Oct 9 03:37:16 MDT 2017

* I have the impression that exec() is preferred on fork(). Why not 
always fork()?

* Using AIX RBAC - I see a difference in behavior when I call:

sudo ksh

compared to

sudo lssecattr -p $$


root at x068:[/]su - michael
michael at x068:[/home/michael]swrole sudoer
michael's Password:
michael at x068:[/home/michael]sudo lssecattr -p $$
sudo: unable to execute /usr/sbin/lssecattr: The file access permissions 
do not allow the specified action.
michael at x068:[/home/michael]sudo ksh
michael at x068:[/home/michael]lssecattr -p $$
10616912 eprivs=PV_ROOT mprivs=PV_ROOT iprivs=PV_ROOT lprivs=PV_ROOT 
michael at x068:[/home/michael]exit

So, it seems that the first command (sudo lssecattr -p $$) is exec()ed, 
because it does not gain the privs (via inheritance) needed to execute, 
while "sudo ksh" is fork()ed - as it has gained the elevated privs - and 
can now execute "lssecattr -p $$"

More info:

root at x068:[/]lssecattr -c /usr/bin/ksh
1420-012 "/usr/bin/ksh" does not exist in the privileged command database.

root at x068:[/]lssecattr -c /usr/sbin/lssecattr
authprivs=aix.security.proc.list=PV_PROC_PRIV+PV_AZ_READ secflags=FSF_EPS
root at x068:[/]

root at x068:[/]rolerpt -c sudoer

oot at x068:[/]lssecattr -c /opt/bin/sudo
/opt/bin/sudo accessauths=sudo innateprivs=PV_DAC_GID,PV_DAC_R 
inheritprivs=PV_ROOT secflags=FSF_EPS
root at x068:[/]ls -l /opt/bin/sudo
-rwsr-xr-x    1 bin      bin          431763 Sep 25 20:42 /opt/bin/sudo

Basically, - my preferred setup needs fork() - ALWAYS - so sudo can add 
privs for it's forked processes (and it will get an added PV so that it 
can do that using *raise() and *lower() calls. This way, the sudo 
executable will always have a minimum of "privs" active - and the 
children will only get - what they need. This can be used as a way to 
use sudoers grammar, rather than "setsecattr -c", mkauth, mkrole and 
setkst commands aka "traditional" AIX RBAC administration - to have 
"role-based" access to privileged commands.

More information about the sudo-workers mailing list