Bug 178429
Summary: | selinux patch breaks sudo NOEXEC capability | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Gene Czarcinski <gczarcinski> |
Component: | sudo | Assignee: | Karel Zak <kzak> |
Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5 | CC: | dwalsh, fedora, sdsmall |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-01-24 09:21:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Gene Czarcinski
2006-01-20 15:06:50 UTC
I think that based on prior discussions of separating SELinux role changes from Unix user identity changes on selinux list and the removal of pam_selinux from su's pam config, I would recommend dropping the sudo selinux patch altogether. Ditto for the corresponding pieces of SELinux code in usermode/userhelper. As to the severity of this bug, IIUC, the current selinux patch is merely preventing this new 'feature' of sudo from working, not creating a security hole itself. Admittedly, preventing people from using this new 'feature' might yield a security hole if the admin then proceeds to authorize some user to perform a sudo vi w/o NOEXEC without fully trusting the user, but that seems fairly broken to me anyway (I'd never rely on sudo to prevent such privilege escalation). Agreed that sudo and the sudo NOEXEC capabilities are not really good solutions but I need something which will work across mutiple system types (Solaris, xBSD, RHEL, FC, etc.) and which will at least raise the security barrier a little. Sudo looked like a "good enough" fix but then we realized that there was the shell-out escape ... NOEXEC looked like a fix for that. Fixed. The selinux patch has been removed from the devel branch. Worth making this a FC4 update? Ref: https://www.redhat.com/archives/fedora-selinux-list/2006-January/msg00180.html |