Bug 1212949

Summary: sshuttle.service: sshuttle: sudo: The "no new privileges" flag is set, which prevents sudo from running as root.
Product: [openSUSE] openSUSE Distribution Reporter: Andreas Vetter <vetter>
Component: SecurityAssignee: Johannes Segitz <jsegitz>
Status: NEW --- QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: jsegitz
Version: Leap 15.5   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Vetter 2023-07-03 14:10:34 UTC 
sshuttle cannot run as a service using "systemctl start sshuttle":

sshuttle[27072]: sudo: The "no new privileges" flag is set, which prevents sudo from running as root.

This might be due to the hardenings from #1181400, since most of the Private*=True and Protect*=True setting also imply NoNewPrivileges=yes.

A plain "sudo -u sshuttle sshuttle -r root@sever.com 10.1.2.3/16" does work.
Comment 1 Andreas Vetter 2023-07-03 19:36:56 UTC 
Setting the following makes sshuttle work again:

[Service]
PrivateDevices=false
ProtectClock=false
ProtectHostname=false
ProtectKernelTunables=false
ProtectKernelModules=false
ProtectKernelLogs=false
RestrictRealtime=false
Comment 2 Johannes Segitz 2023-07-04 06:44:32 UTC 
I hate these implied settings. I'll have a look
Comment 3 Johannes Segitz 2023-07-04 08:27:04 UTC 
It's to bad that NNP can't be force disabled. I removed these settings and submitted
Comment 4 OBSbugzilla Bot 2023-07-04 09:05:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1212949) was mentioned in
https://build.opensuse.org/request/show/1096699 Backports:SLE-15-SP4 / sshuttle
https://build.opensuse.org/request/show/1096700 Backports:SLE-15-SP5 / sshuttle
Comment 5 Marcus Meissner 2023-07-07 16:05:35 UTC 
openSUSE-RU-2023:0168-1: An update that has one recommended fix can now be installed.\n\nCategory: recommended (moderate)\nBug References: 1212949\nCVE References: \nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP4 (src):    sshuttle-1.1.0-bp154.2.3.1\n\n
Comment 6 Marcus Meissner 2023-07-07 19:05:29 UTC 
openSUSE-RU-2023:0170-1: An update that has one recommended fix can now be installed.\n\nCategory: recommended (moderate)\nBug References: 1212949\nCVE References: \nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP5 (src):    sshuttle-1.1.1-bp155.2.3.1\n\n