[sudo-users] sudo driven by LDAP accepting any passwd
Wes Rogers
wrogers at gmail.com
Fri Oct 20 16:30:43 EDT 2006
I've got a large setup of centralized sudo in LDAP.
Everything works fine, except I noticed today one very nasty problem.
If you are a user that is allowed sudoers access, you can type a
command that is permitted to you and if you type an incorrect passwd,
it proceeds anyway.
Has anyone came across this, and if so, what did I miss? Here is some
examples of the setup :
dn: cn=defaults,ou=sudo,ou=Applications,ou=blah,dc=blah,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: ignore_local_sudoers
sudoOption: logfile=/var/log/sudolog
sudoOption: insults
dn: cn=testrole,ou=sudo,ou=Applications,ou=blah,dc=blah,dc=com
cn: testrole
description: Testing
objectClass: top
objectClass: sudoRole
sudoCommand: ALL
sudoUser: +testusers
sudoHost: +testhosts
dn: cn=testusers,ou=Users,ou=Netgroups,ou=blah,dc=blah,dc=com
cn: testusers
objectClass: nisNetgroup
objectClass: top
nisNetgroupTriple: (,testuser,)
description: Testing Users
dn: cn=testhosts,ou=Hosts,ou=Netgroups,ou=blah,dc=blah,dc=com
cn: testhosts
description: Test Servers
objectClass: nisNetgroup
objectClass: top
nisNetgroupTriple: (testhost1,,,)
testhost1$ sudo su -
LDAP Config Summary
===================
host 10.0.0.1 10.0.0.2
port 389
ldap_version 3
sudoers_base ou=sudo,ou=Applications,ou=blah,dc=blah,dc=com
binddn cn=Auth,ou=Applications,ou=blah,dc=blah,dc=com
bindpw blah
ssl (no)
===================
ldap_init(10.0.0.1 10.0.0.2,389)
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03)
ldap_bind() ok
found:cn=defaults,ou=sudo,ou=Applications,ou=blah,dc=blah,dc=com
ldap sudoOption: 'ignore_local_sudoers'
ldap sudoOption: 'logfile=/var/log/sudolog'
ldap sudoOption: 'insults'
ldap search '(|(sudoUser=testuser)(sudoUser=%testgroup)(sudoUser=%testgroup)(sudoUser=ALL))'
ldap search 'sudoUser=+*'
found:cn=testrole,ou=sudo,ou=Applications,ou=blah,dc=blah,dc=com
ldap sudoUser netgroup '+testusers' ... MATCH!
ldap sudoHost netgroup '+testhosts' ... MATCH!
ldap sudoCommand 'ALL' ... MATCH!
Perfect Matched!
user_matches=-1
host_matches=-1
sudo_ldap_check(0)=0x02
Password: <enter anything with keyboard>
[root at testhost ~]#
If I do NOT enter a passwd and just hit enter, it won't let me sudo.
But if I type correct/incorrect passwd, it lets me.
I'm also using the sudo.schema from
http://www.courtesan.com/sudo/readme_ldap.html
Thanks,
Wes
More information about the sudo-users
mailing list