From: dwalsh@redhat.com (Daniel J Walsh) Date: Mon, 21 Feb 2011 11:59:00 -0500 Subject: [refpolicy] [patch 1/1] sudo: Fixes for sudo, handle /var/db/sudo In-Reply-To: <4D6271B6.8020105@gmail.com> References: <4D5EA91C.1080409@redhat.com> <1298092089.3101.51.camel@tesla.lan> <4D62706E.9090801@redhat.com> <4D6271B6.8020105@gmail.com> Message-ID: <4D6299D4.5030001@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/21/2011 09:07 AM, Dominick Grift wrote: > On 02/21/2011 03:02 PM, Daniel J Walsh wrote: >> On 02/19/2011 12:08 AM, Guido Trentalancia wrote: >>> Hello Miroslav ! > >>> On Fri, 18/02/2011 at 17.15 +0000, Miroslav Grepl wrote: >>>> http://mgrepl.fedorapeople.org/F15/admin_sudo.patch >>>> >>>> * Allow sudo to send signals to any domains the user could have >>>> transitioned to. >>>> * Handle /var/db/sudo >>>> * Allow users to run executables in /tmp or ~/ > >>> To the best of my knowledge, the first part of the last change is >>> something really bad from a security point of view. > >>> System administrators put much effort to avoid that (such as >>> mounting /tmp with noexec, nosuid options) ! > >>> A legitimate user does not need to store his/her executables in /tmp, as >>> he/she has at least its own home directory available for that (and if >>> he/she cannot write there, then he/she is probably over quota). > >>> /tmp just "potentially provides storage space for malicious >>> executables" (quoted from paragraph 2.2.1.3 of NSA public document >>> "Guide to the Secure Configuration of Red Hat Enterprise Linux 5" >>> Revision 4, but any decent web search engine would easily provide you >>> with tons of pages relative to the cries of those whom have allowed that >>> sort of thing to happen on their systems). > >>> Regards, > >>> Guido > >>> _______________________________________________ >>> refpolicy mailing list >>> refpolicy at oss.tresys.com >>> http://oss.tresys.com/mailman/listinfo/refpolicy > >> + userdom_domtrans_user_tmp($1_sudo_t, $3) > >> Says to run user_tmp_t files as staff_t, Which is the equivalent of if >> the staff_t had executed the file directly. > >> I guess if execution of homedir/tmp dir was turned off this could be >> seen as a priv escalation. > > refpolicy does not have the above functionality afaik. > >> staff_t is not allowed to execute user_tmp_t, but it can if it goes >> through sudo. > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > _______________________________________________ refpolicy mailing list refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy Are you saying staff_t is not allowed to execute user_tmp_t in reference policy? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1imdQACgkQrlYvE4MpobOCDQCgx8Muc05F6plnR0yIlm5t/b92 u/YAn1lae+qK824+cC2wNdCQMiHT+/Mb =qTCp -----END PGP SIGNATURE-----