[sudo-workers] pam_setcred parameter
Radovan Sroka
rsroka at redhat.com
Mon Jan 21 03:54:58 MST 2019
Hi Todd,
I think that sudo uses pam_setcred incorrectly.
https://www.sudo.ws/repos/sudo/rev/ec23c3bf41bb
After this commit sudo uses PAM_REINITIALIZE_CRED instead of
PAM_ESTABLISH_CRED which is wrong. Reinitialize flag can be used only in
case when Establish was already used and there was some change like UID or
something.
Some pam modules like pam_cap.so ignore Reinitialize and support only
Establish and that's why it is not working with sudo since that commit and
does not apply capabilities to new process.
Steps to Reproduce:
[root at rhel7u3-5 ~]# useradd netdiag
[root at rhel7u3-5 ~]# setcap cap_net_raw+ei /usr/sbin/tcpdump
[root at rhel7u3-5 ~]# echo "cap_net_raw+ei netdiag" >
/etc/security/capability.conf
[root at rhel7u3-5 ~]# cat /etc/pam.d/sudo
#%PAM-1.0
auth optional pam_cap.so
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
After commit:
[root at rhel7u3-5 ~]# sudo -u netdiag /usr/sbin/tcpdump -i lo
tcpdump: lo: You don't have permission to capture on that device
(socket: Operation not permitted)
Before commit:
[root at rhel7u3-5 ~]# sudo -u netdiag /usr/sbin/tcpdump -i lo
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes
I suggest to use only Established or both as subsequent calls.
--
--
---------------------------------------------------------
Radovan Sroka
Software Engineer | Security Technologies | Red hat, Inc.
More information about the sudo-workers
mailing list