Bug 178429 - selinux patch breaks sudo NOEXEC capability
Summary: selinux patch breaks sudo NOEXEC capability
Alias: None
Product: Fedora
Classification: Fedora
Component: sudo   
(Show other bugs)
Version: 5
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Karel Zak
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2006-01-20 15:06 UTC by Gene Czarcinski
Modified: 2007-11-30 22:11 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-01-24 09:21:49 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Gene Czarcinski 2006-01-20 15:06:50 UTC
Description of problem:

1. I am reporting this against FC5test1/development/rawhide although FC4 has the
problem also.

2. I am leaving this a normal severity although there is a good argument (to me)
that it is really a security problem.

sudo 1.6.8 added a capability to suppress "shelling out" of a program such as vi
with the NOEXEC option.  This is an important security feature since it
prohibits a sudo user from getting general access to root.

With the selinux patch applied, you get the message:

   /usr/sbin/sesh: Error execing /bin/vi: Permission denied

if NOEXEC is specified in the /etc/sudoers file (e.g., Defaults noexec).

If the sudo package is rebuilt without the selinux patch, then the NOEXEC
capability works as it should ... "sudo vi" can edit a file but ":!bash" does
not work.

Comment 1 Stephen Smalley 2006-01-20 15:37:38 UTC
I think that based on prior discussions of separating SELinux role changes from
Unix user identity changes on selinux list and the removal of pam_selinux from
su's pam config, I would recommend dropping the sudo selinux patch altogether.
Ditto for the corresponding pieces of SELinux code in usermode/userhelper.

As to the severity of this bug, IIUC, the current selinux patch is merely
preventing this new 'feature' of sudo from working, not creating a security hole
itself.  Admittedly, preventing people from using this new 'feature' might yield
a security hole if the admin then proceeds to authorize some user to perform a
sudo vi w/o NOEXEC without fully trusting the user, but that seems fairly broken
to me anyway (I'd never rely on sudo to prevent such privilege escalation).

Comment 2 Gene Czarcinski 2006-01-20 16:17:43 UTC
Agreed that sudo and the sudo NOEXEC capabilities are not really good solutions
but I need something which will work across mutiple system types (Solaris, xBSD,
RHEL, FC, etc.) and which will at least raise the security barrier a little. 
Sudo looked like a "good enough" fix but then we realized that there was the
shell-out escape ... NOEXEC looked like a fix for that.

Comment 3 Karel Zak 2006-01-24 09:21:49 UTC
Fixed. The selinux patch has been removed from the devel branch.

Comment 4 Martin Ebourne 2006-01-30 22:11:45 UTC
Worth making this a FC4 update?


Note You need to log in before you can comment on or make changes to this bug.