[sudo-workers] Why, or better when - is exec() or fork() called?

Michael Felt michael at felt.demon.nl
Mon Oct 9 03:37:16 MDT 2017 

* I have the impression that exec() is preferred on fork(). Why not 
always fork()?

* Using AIX RBAC - I see a difference in behavior when I call:

sudo ksh

compared to

sudo lssecattr -p $$

e.g.,:

root at x068:[/]su - michael
michael at x068:[/home/michael]swrole sudoer
michael's Password:
michael at x068:[/home/michael]sudo lssecattr -p $$
Password:
sudo: unable to execute /usr/sbin/lssecattr: The file access permissions 
do not allow the specified action.
michael at x068:[/home/michael]sudo ksh
michael at x068:[/home/michael]lssecattr -p $$
10616912 eprivs=PV_ROOT mprivs=PV_ROOT iprivs=PV_ROOT lprivs=PV_ROOT 
uprivs=PV_DAC_R,PV_DAC_W
michael at x068:[/home/michael]exit

So, it seems that the first command (sudo lssecattr -p $$) is exec()ed, 
because it does not gain the privs (via inheritance) needed to execute, 
while "sudo ksh" is fork()ed - as it has gained the elevated privs - and 
can now execute "lssecattr -p $$"

More info:

root at x068:[/]lssecattr -c /usr/bin/ksh
1420-012 "/usr/bin/ksh" does not exist in the privileged command database.

root at x068:[/]lssecattr -c /usr/sbin/lssecattr
/usr/sbin/lssecattr 
accessauths=aix.security.cmd.list,aix.security.device.list,aix.security.file.list,aix.security.proc.list,aix.security.dobject.list 
innateprivs=PV_DAC_R,PV_DAC_X 
authprivs=aix.security.proc.list=PV_PROC_PRIV+PV_AZ_READ secflags=FSF_EPS
root at x068:[/]

root at x068:[/]rolerpt -c sudoer
role:
sudoer
commands:
/opt/bin/sudo

oot at x068:[/]lssecattr -c /opt/bin/sudo
/opt/bin/sudo accessauths=sudo innateprivs=PV_DAC_GID,PV_DAC_R 
inheritprivs=PV_ROOT secflags=FSF_EPS
root at x068:[/]ls -l /opt/bin/sudo
-rwsr-xr-x    1 bin      bin          431763 Sep 25 20:42 /opt/bin/sudo

Basically, - my preferred setup needs fork() - ALWAYS - so sudo can add 
privs for it's forked processes (and it will get an added PV so that it 
can do that using *raise() and *lower() calls. This way, the sudo 
executable will always have a minimum of "privs" active - and the 
children will only get - what they need. This can be used as a way to 
use sudoers grammar, rather than "setsecattr -c", mkauth, mkrole and 
setkst commands aka "traditional" AIX RBAC administration - to have 
"role-based" access to privileged commands.

More information about the sudo-workers mailing list