178429 – selinux patch breaks sudo NOEXEC capability

Bug 178429 - selinux patch breaks sudo NOEXEC capability

Summary: selinux patch breaks sudo NOEXEC capability

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	sudo
Sub Component:
Version:	5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Karel Zak
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-01-20 15:06 UTC by Gene Czarcinski
Modified:	2007-11-30 22:11 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-01-24 09:21:49 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Gene Czarcinski 2006-01-20 15:06:50 UTC

Description of problem:

1. I am reporting this against FC5test1/development/rawhide although FC4 has the
problem also.

2. I am leaving this a normal severity although there is a good argument (to me)
that it is really a security problem.

sudo 1.6.8 added a capability to suppress "shelling out" of a program such as vi
with the NOEXEC option.  This is an important security feature since it
prohibits a sudo user from getting general access to root.

With the selinux patch applied, you get the message:

   /usr/sbin/sesh: Error execing /bin/vi: Permission denied

if NOEXEC is specified in the /etc/sudoers file (e.g., Defaults noexec).

If the sudo package is rebuilt without the selinux patch, then the NOEXEC
capability works as it should ... "sudo vi" can edit a file but ":!bash" does
not work.

Comment 1 Stephen Smalley 2006-01-20 15:37:38 UTC

I think that based on prior discussions of separating SELinux role changes from
Unix user identity changes on selinux list and the removal of pam_selinux from
su's pam config, I would recommend dropping the sudo selinux patch altogether.
Ditto for the corresponding pieces of SELinux code in usermode/userhelper.

As to the severity of this bug, IIUC, the current selinux patch is merely
preventing this new 'feature' of sudo from working, not creating a security hole
itself.  Admittedly, preventing people from using this new 'feature' might yield
a security hole if the admin then proceeds to authorize some user to perform a
sudo vi w/o NOEXEC without fully trusting the user, but that seems fairly broken
to me anyway (I'd never rely on sudo to prevent such privilege escalation).

Comment 2 Gene Czarcinski 2006-01-20 16:17:43 UTC

Agreed that sudo and the sudo NOEXEC capabilities are not really good solutions
but I need something which will work across mutiple system types (Solaris, xBSD,
RHEL, FC, etc.) and which will at least raise the security barrier a little. 
Sudo looked like a "good enough" fix but then we realized that there was the
shell-out escape ... NOEXEC looked like a fix for that.

Comment 3 Karel Zak 2006-01-24 09:21:49 UTC

Fixed. The selinux patch has been removed from the devel branch.

Comment 4 Martin Ebourne 2006-01-30 22:11:45 UTC

Worth making this a FC4 update?

Ref:
https://www.redhat.com/archives/fedora-selinux-list/2006-January/msg00180.html

Note You need to log in before you can comment on or make changes to this bug.