From: dwalsh@redhat.com (Daniel J Walsh) Date: Mon, 21 Feb 2011 09:02:22 -0500 Subject: [refpolicy] [patch 1/1] sudo: Fixes for sudo, handle /var/db/sudo In-Reply-To: <1298092089.3101.51.camel@tesla.lan> References: <4D5EA91C.1080409@redhat.com> <1298092089.3101.51.camel@tesla.lan> Message-ID: <4D62706E.9090801@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/19/2011 12:08 AM, Guido Trentalancia wrote: > Hello Miroslav ! > > On Fri, 18/02/2011 at 17.15 +0000, Miroslav Grepl wrote: >> http://mgrepl.fedorapeople.org/F15/admin_sudo.patch >> >> * Allow sudo to send signals to any domains the user could have >> transitioned to. >> * Handle /var/db/sudo >> * Allow users to run executables in /tmp or ~/ > > To the best of my knowledge, the first part of the last change is > something really bad from a security point of view. > > System administrators put much effort to avoid that (such as > mounting /tmp with noexec, nosuid options) ! > > A legitimate user does not need to store his/her executables in /tmp, as > he/she has at least its own home directory available for that (and if > he/she cannot write there, then he/she is probably over quota). > > /tmp just "potentially provides storage space for malicious > executables" (quoted from paragraph 2.2.1.3 of NSA public document > "Guide to the Secure Configuration of Red Hat Enterprise Linux 5" > Revision 4, but any decent web search engine would easily provide you > with tons of pages relative to the cries of those whom have allowed that > sort of thing to happen on their systems). > > Regards, > > Guido > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy + userdom_domtrans_user_tmp($1_sudo_t, $3) Says to run user_tmp_t files as staff_t, Which is the equivalent of if the staff_t had executed the file directly. I guess if execution of homedir/tmp dir was turned off this could be seen as a priv escalation. staff_t is not allowed to execute user_tmp_t, but it can if it goes through sudo. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1icG4ACgkQrlYvE4MpobO/SgCcCeagx2SuBd2InuVNk25YXt4b agEAoJOxwZz4QbXFkUrUGjvovKVFutO0 =bNTO -----END PGP SIGNATURE-----