[strace/strace] Sudo effective user don't work with --seccomp-bpf (#126)
Dmitry V. Levin
notifications at github.com
Tue Feb 25 22:39:33 UTC 2020
On Tue, Feb 25, 2020 at 04:05:10AM -0800, Dmytro Kolomoiets wrote:
> Literally. This works:
> ```bash
> $ sudo strace -qqu $USER -e trace=execve -e signal=none -- sudo true
>
> execve("/usr/bin/sudo", ["sudo", "true"], 0x7ffe1fc6b730 /* 13 vars */) = 0
> ```
> And this not:
> ```bash
> $ sudo strace --seccomp-bpf -fqqu $USER -e trace=execve -e signal=none -- sudo true
>
> execve("/usr/bin/sudo", ["sudo", "true"], 0x7ffc693481d8 /* 13 vars */) = 0
> sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
>
> ```
> Is it temporary regression or `--seccomp-bpf` is fundamentally impossible for this usecase?
This is a limitation of the current implementation which sets
PR_SET_NO_NEW_PRIVS unconditionally. Apparently, in an unlikely case when
strace is privileged enough, there is no need to set PR_SET_NO_NEW_PRIVS.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/strace/strace/issues/126#issuecomment-591109250
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20200225/e2570db4/attachment.html>
More information about the Strace-devel
mailing list