|
Bugzilla – Full Text Bug Listing |
| Summary: | intercept breaks "sudo su - applid" unless user has root authority too on RHEL 8.8 | ||
|---|---|---|---|
| Product: | Sudo | Reporter: | Joe Odenweller <joe.odenweller> |
| Component: | Sudo | Assignee: | Todd C. Miller <Todd.Miller> |
| Status: | ASSIGNED --- | ||
| Severity: | normal | ||
| Priority: | low | ||
| Version: | 1.9.15 | ||
| Hardware: | PC | ||
| OS: | Linux | ||
It sounds like intercept is working as expected. The su command executes /bin/bash which testuser is not permitted to run. An alternative is to allow the user to run /bin/bash instead of /usr/bin/su and have them run "sudo -i" instead of "sudo su -". However, you will still have the problem that any commands run from the shell's startup files need to be allowed as well. The user is su'ing to an application id, but the complaint is about /bin/bash as root. Who needs /bin/bash as root? Are you creating a full login environment to run/usr/bin/su? jodenwel 3227590 3227587 0 06:55 ? 00:00:00 sshd: jodenwel@pts/0 jodenwel 3227591 3227590 0 06:55 pts/0 00:00:00 -bash root 3229185 3227591 0 06:56 pts/0 00:00:00 sudo su - bzj0x4 root 3229187 3229185 0 06:56 pts/1 00:00:00 sudo su - bzj0x4 root 3229188 3229187 0 06:56 pts/1 00:00:00 su - bzj0x4 bzj0x4 3229189 3229188 0 06:56 pts/1 00:00:00 -bash User jodenwel has full authority is sudo. PID 3229185 is the initial command entered by jodenwel. PID 3229187 is where you move the work onto a new pseudo tty. I assume this facilitates capturing all the screen IO. PID 3229188 is the su command running as root. I assume you duplicated 3229187 and then exec'd /usr/bin/su on top of yourself. Are you trying to use /bin/bash here? It just sunk in. If I want to give a rule for su - applid, I will either have to turn off intercept for the command or I will have to give a rule for (applid) ALL to be equivalent to what it was before intercept. That still doesn't explain /bin/bash and root. The intercept support doesn't currently handle a program changing its user-ID. It just traps the call to execute /bin/bash and looks that up in the policy using the same runas user as the original command. |
A user, testuser, is allowed “sudo su – applid”. Without “Defaults intercept” everything works, with “Defaults intercept” he gets the following. Since I have sudo everything I don’t see the issue. $ sudo su – applid Last login: Fri Nov 17 13:01:42 PST 2023 on pts/3 Sorry, user testuser is not allowed to execute ‘/bin/bash’ as root on system1. su: failed to execute /bin/bash: Permission denied $ [root@system1 ~]# cat /etc/redhat-release Red Hat Enterprise Linux release 8.8 (Ootpa) [root@system1 ~]# sudo -V Sudo version 1.9.15p2 Configure options: --prefix=/usr --with-logging=syslog --with-logfac=authpriv --with-pam --enable-zlib=system --with-editor=/bin/vi --with-env-editor --with-ignore-dot --with-ldap --with-passprompt=[sudo] password for %p: --with-sendmail=/usr/sbin/sendmail --enable-warnings --cache-file=../config.cache --enable-package-build --with-selinux --with-linux-audit --with-pam-login --with-sssd --with-sssd-lib=/usr/lib64 --with-ldap-conf-file=/etc/sudo-ldap.conf --enable-openssl --enable-python --disable-tmpfiles.d Sudoers policy plugin version 1.9.15p2 Sudoers file grammar version 50 Sudoers path: /etc/sudoers nsswitch path: /etc/nsswitch.conf ldap.conf path: /etc/sudo-ldap.conf ldap.secret path: /etc/ldap.secret Authentication methods: 'pam' Syslog facility if syslog is being used for logging: authpriv Syslog priority to use when user authenticates successfully: notice Syslog priority to use when user authenticates unsuccessfully: alert Ignore '.' in $PATH Send mail if the user is not in sudoers Lecture user the first time they run sudo Require users to authenticate by default Root may run sudo Allow some information gathering to give useful error messages Visudo will honor the EDITOR environment variable Set the LOGNAME and USER environment variables Length at which to wrap log file lines (0 for no wrap): 80 Authentication timestamp timeout: 5.0 minutes Password prompt timeout: 5.0 minutes Number of tries to enter a password: 3 Umask to use or 0777 to use user's: 022 Path to mail program: /usr/sbin/sendmail Flags for mail program: -t Address to send mail to: root Subject line for mail messages: *** SECURITY information for %h *** Incorrect password message: Sorry, try again. Path to lecture status dir: /var/db/sudo/lectured Path to authentication timestamp dir: /run/sudo/ts Default password prompt: [sudo] password for %p: Default user to run commands as: root Path to the editor for use by visudo: /bin/vi When to require a password for 'list' pseudocommand: any When to require a password for 'verify' pseudocommand: all File descriptors >= 3 will be closed before executing a command Reset the environment to a default set of variables Environment variables to check for safety: TZ TERM LINGUAS LC_* LANGUAGE LANG COLORTERM Environment variables to remove: *=()* RUBYOPT RUBYLIB PYTHONUSERBASE PYTHONINSPECT PYTHONPATH PYTHONHOME TMPPREFIX ZDOTDIR READNULLCMD NULLCMD FPATH PERL5DB PERL5OPT PERL5LIB PERLLIB PERLIO_DEBUG JAVA_TOOL_OPTIONS SHELLOPTS BASHOPTS GLOBIGNORE PS4 BASH_ENV ENV TERMCAP TERMPATH TERMINFO_DIRS TERMINFO _RLD* LD_* PATH_LOCALE NLSPATH HOSTALIASES RES_OPTIONS LOCALDOMAIN CDPATH IFS Environment variables to preserve: KDEDIR QTDIR _XKB_CHARSET LC_* LINGUAS LANGUAGE LANG XDG_CURRENT_DESKTOP XAUTHORIZATION XAUTHORITY PS2 PS1 PATH LS_COLORS KRB5CCNAME HOSTNAME DISPLAY COLORS Locale to use while parsing sudoers: C Log the output of the command being run Log the command's standard output if not connected to a terminal Log the command's standard error if not connected to a terminal Log the terminal output of the command being run Compress I/O logs using zlib Always run commands in a pseudo-tty Directory in which to store input/output logs: /var/log/sudo-io File in which to store the input/output log: %{seq} Add an entry to the utmp/utmpx file when allocating a pty PAM service name to use: sudo PAM service name to use for login shells: sudo-i Attempt to establish PAM credentials for the target user Create a new PAM session for the command to run in Perform PAM account validation management Maximum I/O log sequence number: 100000 Enable sudoers netgroup support Check parent directories for writability when editing files with sudoedit Allow commands to be run even if sudo cannot write to the audit log Allow commands to be run even if sudo cannot write to the I/O log Allow commands to be run even if sudo cannot write to the log file Log entries larger than this value will be split into multiple syslog messages: 960 File mode to use for the I/O log files: 0600 Execute commands by file descriptor instead of by path: digest_only Type of authentication timestamp record: tty Ignore case when matching user names Ignore case when matching group names Log when a command is allowed by sudoers Log when a command is denied by sudoers Sudo log server timeout in seconds: 30 Enable SO_KEEPALIVE socket option on the socket connected to the logserver Verify that the log server's certificate is valid Set the pam remote user to the user running sudo The format of logs to produce: sudo Enable SELinux RBAC support Log sub-commands run by the original command Allow an intercepted command to run set setuid or setgid programs The largest size core dump file that may be created (in bytes): 0,0 Store plaintext passwords in I/O log input List of regular expressions to use when matching a password prompt [Pp]assword[: ]* The mechanism used by the intercept and log_subcmds options: trace Attempt to verify the command and arguments after execution Local IP address and netmask pairs: 10.192.14.126/255.255.255.0 10.192.228.118/255.255.248.0 192.168.122.1/255.255.255.0 Sudoers I/O plugin version 1.9.15p2 Sudoers audit plugin version 1.9.15p2