Bug 611 – root user can change its SELinux context without password

Bug 611 - root user can change its SELinux context without password


Summary:	root user can change its SELinux context without password

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.8.7
Hardware:	All Linux

Importance:	low high
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-08-26 03:02 MDT by Nicolas Iooss
Modified:	2013-08-27 01:04 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Nicolas Iooss 2013-08-26 03:02:10 MDT

Users which acquire a root shell on a SELinux system can change their SELinux context without entering any password, unlike what does the newrole command.


Step to reproduce:
1. Log into a SELinux system as a sudoer user whose SELinux user is staff_u:staff_r:staff_t.
2. Spawn a root shell (with su, sudo -s or by exploiting a privilege escalation vulnerability).
3. Run "sudo -r sysadm_r -t sysadm_t -s" to became SELinux user staff_u:sysadm_r:sysadm_t.

Actual results:
Root user can change role without entering its password.

Expected reults:
The third command should ask for root password to change role, like newrole does.

Additional info:
On system where there is no root password, staff_u users can use "sudo -r sysadm_r -t sysadm_t" to run commands in staff_u:sysadm_r:sysadm_t context or use newrole before running sudo. All of these commands ask for user password, as expected.

I did these tests on an amd64 Debian sid system with sudo 1.8.7-3 package.

Comment 1 Todd C. Miller 2013-08-26 14:55:56 MDT

Thanks, this will be fixed in sudo 1.8.8.  The fix is present in the second beta release of sudo 1.8.8, available now.

Comment 2 Nicolas Iooss 2013-08-27 01:04:09 MDT

I confirm that commit http://www.sudo.ws/repos/sudo/rev/f8b599acb29d fixes this bug.