Bug 178429 - selinux patch breaks sudo NOEXEC capability
selinux patch breaks sudo NOEXEC capability
Product: Fedora
Classification: Fedora
Component: sudo (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Karel Zak
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2006-01-20 10:06 EST by Gene Czarcinski
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-01-24 04:21:49 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Gene Czarcinski 2006-01-20 10:06:50 EST
Description of problem:

1. I am reporting this against FC5test1/development/rawhide although FC4 has the
problem also.

2. I am leaving this a normal severity although there is a good argument (to me)
that it is really a security problem.

sudo 1.6.8 added a capability to suppress "shelling out" of a program such as vi
with the NOEXEC option.  This is an important security feature since it
prohibits a sudo user from getting general access to root.

With the selinux patch applied, you get the message:

   /usr/sbin/sesh: Error execing /bin/vi: Permission denied

if NOEXEC is specified in the /etc/sudoers file (e.g., Defaults noexec).

If the sudo package is rebuilt without the selinux patch, then the NOEXEC
capability works as it should ... "sudo vi" can edit a file but ":!bash" does
not work.
Comment 1 Stephen Smalley 2006-01-20 10:37:38 EST
I think that based on prior discussions of separating SELinux role changes from
Unix user identity changes on selinux list and the removal of pam_selinux from
su's pam config, I would recommend dropping the sudo selinux patch altogether.
Ditto for the corresponding pieces of SELinux code in usermode/userhelper.

As to the severity of this bug, IIUC, the current selinux patch is merely
preventing this new 'feature' of sudo from working, not creating a security hole
itself.  Admittedly, preventing people from using this new 'feature' might yield
a security hole if the admin then proceeds to authorize some user to perform a
sudo vi w/o NOEXEC without fully trusting the user, but that seems fairly broken
to me anyway (I'd never rely on sudo to prevent such privilege escalation).
Comment 2 Gene Czarcinski 2006-01-20 11:17:43 EST
Agreed that sudo and the sudo NOEXEC capabilities are not really good solutions
but I need something which will work across mutiple system types (Solaris, xBSD,
RHEL, FC, etc.) and which will at least raise the security barrier a little. 
Sudo looked like a "good enough" fix but then we realized that there was the
shell-out escape ... NOEXEC looked like a fix for that.
Comment 3 Karel Zak 2006-01-24 04:21:49 EST
Fixed. The selinux patch has been removed from the devel branch.
Comment 4 Martin Ebourne 2006-01-30 17:11:45 EST
Worth making this a FC4 update?


Note You need to log in before you can comment on or make changes to this bug.