From: domg472@gmail.com (Dominick Grift) Date: Mon, 21 Feb 2011 18:40:53 +0100 Subject: [refpolicy] [patch 1/1] sudo: Fixes for sudo, handle /var/db/sudo In-Reply-To: <4D6299D4.5030001@redhat.com> References: <4D5EA91C.1080409@redhat.com> <1298092089.3101.51.camel@tesla.lan> <4D62706E.9090801@redhat.com> <4D6271B6.8020105@gmail.com> <4D6299D4.5030001@redhat.com> Message-ID: <4D62A3A5.9070909@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/21/2011 05:59 PM, Daniel J Walsh wrote: > On 02/21/2011 09:07 AM, Dominick Grift wrote: >> On 02/21/2011 03:02 PM, Daniel J Walsh wrote: >>> On 02/19/2011 12:08 AM, Guido Trentalancia wrote: >>>> Hello Miroslav ! > >>>> On Fri, 18/02/2011 at 17.15 +0000, Miroslav Grepl wrote: >>>>> http://mgrepl.fedorapeople.org/F15/admin_sudo.patch >>>>> >>>>> * Allow sudo to send signals to any domains the user could have >>>>> transitioned to. >>>>> * Handle /var/db/sudo >>>>> * Allow users to run executables in /tmp or ~/ > >>>> To the best of my knowledge, the first part of the last change is >>>> something really bad from a security point of view. > >>>> System administrators put much effort to avoid that (such as >>>> mounting /tmp with noexec, nosuid options) ! > >>>> A legitimate user does not need to store his/her executables in /tmp, as >>>> he/she has at least its own home directory available for that (and if >>>> he/she cannot write there, then he/she is probably over quota). > >>>> /tmp just "potentially provides storage space for malicious >>>> executables" (quoted from paragraph 2.2.1.3 of NSA public document >>>> "Guide to the Secure Configuration of Red Hat Enterprise Linux 5" >>>> Revision 4, but any decent web search engine would easily provide you >>>> with tons of pages relative to the cries of those whom have allowed that >>>> sort of thing to happen on their systems). > >>>> Regards, > >>>> Guido > >>>> _______________________________________________ >>>> refpolicy mailing list >>>> refpolicy at oss.tresys.com >>>> http://oss.tresys.com/mailman/listinfo/refpolicy > >>> + userdom_domtrans_user_tmp($1_sudo_t, $3) > >>> Says to run user_tmp_t files as staff_t, Which is the equivalent of if >>> the staff_t had executed the file directly. > >>> I guess if execution of homedir/tmp dir was turned off this could be >>> seen as a priv escalation. > >> refpolicy does not have the above functionality afaik. > >>> staff_t is not allowed to execute user_tmp_t, but it can if it goes >>> through sudo. >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > > Are you saying staff_t is not allowed to execute user_tmp_t in reference > policy? no, i am saying it can by default. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk1io6UACgkQMlxVo39jgT+BJwCfZ1uAiEHtttA+U/zhWWOLkEA2 7dAAoJBH1EkeVT4Weu3p4VRilE+hRyDf =ibFC -----END PGP SIGNATURE-----