isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix sudoedit when running with SELinux RBAC mode.

Browse Source 
We can't use run_command() to run sesh, that will use the sudo event
loop (and might run it in a pty!).
There's no need to relabel the tty when copying files.
Get the path to sesh from sudo.conf.

Currently, for SELinux RBAC, the editor runs with the target user's
security context. This defeats the purpose of sudoedit.  Fixing
that requires passing file descriptors between the main sudo process
(running with the invoking user's security context) and sesh (runnning
with the target user's security context).
This commit is contained in:
Todd C. Miller
2020-04-21 14:29:23 -06:00
parent 009876bf36
commit 76bf9a73bc
7 changed files with 93 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/sudo.c
View File

@@ -974,10 +974,6 @@ run_command(struct command_details *details)
case CMD_WSTATUS:
/* Command ran, exited or was killed. */
status = cstat.val;
#ifdef HAVE_SELINUX
if (ISSET(details->flags, CD_SUDOEDIT_COPY))
break;
#endif
iolog_close(status, 0);
policy_close(status, 0);
audit_close(SUDO_PLUGIN_WAIT_STATUS, cstat.val);