I've been reading a bit on Red Hat's PolicyKit, and
it got me thinking about sudo. The article I read
points out that if sudo decides to allow a user to
run some program, it runs that program as root.
This violates the principle of granting the least
privilege.
Linux Solaris, and other Unixes all support the
breakup of rootly power into a dozen or more
"capabilities" or "privileges". That is fine
except it depends on the application to drop
the excess privileges.
So please tell me if this is a good idea, or if
I'm just short of sleep and spouting nonsense:
I wonder if sudo could be extended to allow
an administrator to list the privileges/capabilities
to be granted. The sudo process could then
drop un-need privilege (all non-listed ones) before
fork/exec-ing the program. That means a virus
infected program run with sudo won't have excess
privilege.
I realize POSIX hasn't standardized a list of capabilities
or privileges (maybe they could standardize the
name
, except for the withdrawn draft of 1003.1e,
so the specific privileges/capabilities
allowed are OS specific. To deal with that, the list
could be optional in the sense that if a listed
privilege/capability isn't supported, it isn't
granted (silently). So a system admin could list
all the Linux, Solaris, ... ones to grant, and the
ones listed that don't apply to the current OS are
ignored. This would still allow a single
organization-wide sudoers file to be deployed on
different OSes.
Example sudoers entry:
Joe localhost = [CAP_CHOWN, PRIV_FILE_CHOWN] /bin/chown /var/www/*
^^^^^^^^^^^^^^^^^^^^^^^^^^^
(CAP_CHOWN is Linux/IEEE-1003.1e, PRIV_FILE_CHOWN is for Solaris.)
-Wayne
FAQ
Search
Profile
Private Messages
Log in
Linux