Workarounds and Solutions
-
For newrole(1)/SELinux:
-
Apply targeted policies to any network facing client applications. This includes all document viewers.
-
Instead of using a targeted policy, use something more strict. For example, to deploy a web server, implement a policy where the sole function of the system is to serve web pages (implicitly disallowing any client applications that could potentially be hijacked).
-
For sudo(1):
-
Make very strict sudoers(5) policies and thoroughly audit all applications that are available to sudo(1) users
-
For su(1):
-
Option 1: Patch su(1) to disable the '-c' option.
-
Option 2: Use SELinux with newrole(1) and policy that protects against this type of attack or use sudo(1) as described above
-
Option 3: PAM modules could possibly be written to protect against this type of attack