From j at jamver.id.au Sat May 1 03:07:06 2010 From: j at jamver.id.au (James Lever) Date: Sat, 1 May 2010 17:07:06 +1000 Subject: [sudo-users] LDAP defaults:user and NOPASSWD: configuration Message-ID: <4DDE2C4C-8822-4953-A53F-D41796264553@jamver.id.au> Hi All, Does the current sudo support cn=defaults:user for per-user defaults configuration? and can this be set on a per-host or per-host group basis? Also, does parsing entries with NOPASSWD: work the same as /etc/sudoers? My testing seems to confirm that sudo attempts to use the first entry found even if it finds one with NOPASSWD: that would allow the requested command. cheers, James From jespasac at minibofh.org Mon May 3 03:22:49 2010 From: jespasac at minibofh.org (Jordi Espasa Clofent) Date: Mon, 03 May 2010 09:22:49 +0200 Subject: [sudo-users] Clarification on PAM In-Reply-To: References: Message-ID: <4BDE79C9.1060005@minibofh.org> > I have my sudo configuration in LDAP. In order to utilize this config > I was under the impression that the sudo application had to be built > with the --with-ldap configure option per client. Yep. > But it seems that if my client sudo app is configured with --with-pam > and my pam sudo file is setup correctly, it can also utilize the LDAP > sudo configuration without being configured with --with-ldap. It's not a "configuration" issue, it's a simple compilation/support issue. Read carefully: http://www.gratisoft.us/sudo/readme_ldap.html If you compile using '--with-ldap' option enabled you'll get LDAP support; if not, you won't. That's all. You're missing some point, sure. -- I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration. I will face my fear. I will permit it to pass over me and through me. And when it has gone past I will turn the inner eye to see its path. Where the fear has gone there will be nothing. Only I will remain. Bene Gesserit Litany Against Fear. From Robin.Battersby-Cornmell at uisl.unisys.com Tue May 4 05:52:19 2010 From: Robin.Battersby-Cornmell at uisl.unisys.com (Battersby-Cornmell, Robin Alasdair) Date: Tue, 4 May 2010 10:52:19 +0100 Subject: [sudo-users] running a script in a specific directory as root In-Reply-To: <4BDA4BDA.4010501@vecna.com> References: <4BDA4BDA.4010501@vecna.com> Message-ID: There is a bigger problem here. If you write the rule with a wildcard finish, your users could issue:- sudo sh /net/common/installation/../../../usr/bin/shutdown Probably better to script up what they are allowed to do and call that script with sudo. You can be prescriptive with your rules so they can run the script only and you can then control what actually gets called. Robin, Unisys, Liverpool -----Original Message----- From: larry prikockis [mailto:lprikockis at vecna.com] Sent: 30 April 2010 04:18 To: sudo-users at sudo.ws Subject: [sudo-users] running a script in a specific directory as root I have a need for users to be able to run certain scripts located in subdirectories of /net/common (e.g., /net/common/installation/test/myScript.sh) as root using sudo. by adding a line like: bob ALL=/bin/sh /net/common/installation/* to sudoers Bob can log in, and execute 'sudo sh /net/common/installation/test/myScript.sh' with no problem. However, is there a way to all Bob to simply change to the /net/common/installation/test directory and then execute: 'sudo ./myScript.sh' without specifying the full path? Obviously, I don't want to simply allow users to run e.g., "myScript.sh" from any directory as root since then there would be no way to prevent someone from creating a script called "myScript.sh" that contained commands I *don't* want a user running as root. The idea is that most users have only read access to /net/common/installation/* Any thoughts on how to make it less cumbersome for users (i.e., not requiring them to type the full path when they're already in the same directory as the script) while still retaining control over the location of the script being executed with root privs.? thanks for any help... -- Larry J. Prikockis System Administrator 240-965-4597 (direct) lprikockis at vecna.com www.vecna.com Vecna Technologies, Inc. 6404 Ivy Lane Suite 500 Greenbelt, MD 20770 Phone: 240-965-4500 Fax: 240-547-6133 Better Technology, Better World (TM) The contents of this message may be privileged and confidential. Therefore, if this message has been received in error, please delete it without reading it. Your receipt of this message is not intended to waive any applicable privilege. Please do not disseminate this message without the permission of the author. *********************************** This email is sent in confidence for the addressee only. Unauthorised recipients must preserve this confidentiality and should please advise the sender immediately by returning the original email to us without reading it, taking a copy or disclosing it to anyone else. Please also destroy and delete the email from your computer. We have taken reasonable precautions to ensure that no viruses are transmitted to any third party. Unisys Insurance Services Limited does not accept any responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Unisys Insurance Services Limited is authorised and regulated by the Financial Services Authority, is a member of the UNISYS group of companies and provides outsourcing services to the Financial Services Industry Unisys Insurance Services Limited Registered in England No. 4087012 Registered Office: Bakers Court, Bakers Road, Uxbridge, UB8 1RG From highc at stny.rr.com Tue May 4 17:44:16 2010 From: highc at stny.rr.com (highc at stny.rr.com) Date: Tue, 04 May 2010 17:44:16 -0400 Subject: [sudo-users] Rating a Security alert - problem with negated entries. Message-ID: <4BE09530.3030205@stny.rr.com> Sudo team; Please advise if I should post this concern to a different thread. The company I work for takes the security alerts listed at http://www.sudo.ws/sudo/security.html very seriously, which is good. The unfortunate side effect is that any bug fix which is not listed there is deemed to be 'functional' only. The bug: 2009-11-23 10:56 millert * match.c: cmnd_matches() already deals with negation so _cmndlist_matches() does not need to do so itself. Fixes a bug with negated entries in a Cmnd_List. which I believe was fixed in 1.7.2p2, is causing some potential security breaches in my environment, and I'm having a hard time getting the 'right' sort of attention. Would it be possible to have this item listed on the above web page as a security alert? In general, we find folks can do some fairly 'awesome' things which the system adminstrators had previously locked down with some '!'ed sudoers entries. Thanks for your consideration. Chris -- Support anti-Spam legislation. Join the fight http://www.cauce.org/ From mail2mallesh at gmail.com Mon May 3 09:13:10 2010 From: mail2mallesh at gmail.com (Malleswar) Date: Mon, 3 May 2010 23:13:10 +1000 Subject: [sudo-users] Query on Host Alias Message-ID: Hi Linux Gurus, I Have very basic question, Why do we need to configure host alias in sudoers file. My understanding is Sudo is not a centralised utility where we can configure privileges for all servers using one file from a single server. if you want to configure privileges using sudo utility you need to configure on that particular server for the users on that server. If my understanding is correct, I really don't understand configuring host alias in the sudoers file, does hot alias work as access control list or I am completely thinking wrong. can anyone let me know why host alias is used and what is the purpose of using it in sudoers file. Thanks in Advance. Mallesh. From edesousa at bank-banque-canada.ca Tue May 4 10:24:19 2010 From: edesousa at bank-banque-canada.ca (Eurico de Sousa) Date: Tue, 4 May 2010 10:24:19 -0400 Subject: [sudo-users] sudo comment? Message-ID: <22D301D9B05B074F900C913A9550E935692BCF@EXMAIL1.bocad.bank-banque-canada.ca> Hi. Is there any way to have sudo prompt for a comment and have it logged before using it to become someone else? sudo -u other_user command Some staff here need to become other users in order to troubleshoot their problems but there's some audit requirement to log a reason for doing so (the comment may have to include a ticket number, for example). Thanks. ==================================================================================== La version fran?aise suit le texte anglais. ------------------------------------------------------------------------------------ This email may contain privileged and/or confidential information, and the Bank of Canada does not waive any related rights. Any distribution, use, or copying of this email or the information it contains by other than the intended recipient is unauthorized. If you received this email in error please delete it immediately from your system and notify the sender promptly by email that you have done so. ------------------------------------------------------------------------------------ Le pr?sent courriel peut contenir de l'information privil?gi?e ou confidentielle. La Banque du Canada ne renonce pas aux droits qui s'y rapportent. Toute diffusion, utilisation ou copie de ce courriel ou des renseignements qu'il contient par une personne autre que le ou les destinataires d?sign?s est interdite. Si vous recevez ce courriel par erreur, veuillez le supprimer imm?diatement et envoyer sans d?lai ? l'exp?diteur un message ?lectronique pour l'aviser que vous avez ?limin? de votre ordinateur toute copie du courriel re?u. From dalan at visi.com Wed May 5 10:26:30 2010 From: dalan at visi.com (Don) Date: Wed, 05 May 2010 09:26:30 -0500 Subject: [sudo-users] Query on Host Alias In-Reply-To: References: Message-ID: <1273069590.3714.43.camel@dell.sparish.local> Hello, Not necessarily true, I have one file I modify and then I push that file to all the systems. In this case the Host Alias is very necessary to limit what an individual can do on a given system. Don S. On Mon, 2010-05-03 at 23:13 +1000, Malleswar wrote: > Hi Linux Gurus, > > I Have very basic question, Why do we need to configure host alias in > sudoers file. My understanding is Sudo is not a centralised utility where we > can configure privileges for all servers using one file from a single > server. if you want to configure privileges using sudo utility you need to > configure on that particular server for the users on that server. > > If my understanding is correct, I really don't understand configuring host > alias in the sudoers file, does hot alias work as access control list or I > am completely thinking wrong. > > can anyone let me know why host alias is used and what is the purpose of > using it in sudoers file. > > Thanks in Advance. > Mallesh. > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > From Eric.Ladner at chevron.com Wed May 5 10:05:19 2010 From: Eric.Ladner at chevron.com (Ladner, Eric (Eric.Ladner)) Date: Wed, 5 May 2010 07:05:19 -0700 Subject: [sudo-users] Query on Host Alias In-Reply-To: References: Message-ID: <68BDC782617D7B4B8DAC9030A7EDDC6A0141177A@CHVPKNTXC4M.chvpk.chevrontexaco.net> It doesn't have central management, but you can create a single sudoers file that you can run on multiple computers. It makes it easier from an auditing point of view and you only have one sudoers file to maintain instead of 20 different ones. You've got to sync them between computers yourself, but managing only one file simplifies things. Eric Ladner Systems Analyst eric.ladner at chevron.com -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Malleswar Sent: Monday, May 03, 2010 8:13 AM To: sudo-users at sudo.ws Subject: [sudo-users] Query on Host Alias Hi Linux Gurus, I Have very basic question, Why do we need to configure host alias in sudoers file. My understanding is Sudo is not a centralised utility where we can configure privileges for all servers using one file from a single server. if you want to configure privileges using sudo utility you need to configure on that particular server for the users on that server. If my understanding is correct, I really don't understand configuring host alias in the sudoers file, does hot alias work as access control list or I am completely thinking wrong. can anyone let me know why host alias is used and what is the purpose of using it in sudoers file. Thanks in Advance. Mallesh. ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From edesousa at bank-banque-canada.ca Wed May 5 10:11:08 2010 From: edesousa at bank-banque-canada.ca (Eurico de Sousa) Date: Wed, 5 May 2010 10:11:08 -0400 Subject: [sudo-users] Query on Host Alias In-Reply-To: References: Message-ID: <22D301D9B05B074F900C913A9550E93594E048@EXMAIL1.bocad.bank-banque-canada.ca> I've often wondered that as well. Perhaps there's another reason for it, but I define one sudoers file centrally on one machine and define all rules for all hosts. Then I propagate the single sudoers to all the hosts. I find it simpler than maintaining several sudoers files and having to consider which sudoers file should be propagated to which host. -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Malleswar Sent: May 3, 2010 9:13 AM To: sudo-users at sudo.ws Subject: [sudo-users] Query on Host Alias Hi Linux Gurus, I Have very basic question, Why do we need to configure host alias in sudoers file. My understanding is Sudo is not a centralised utility where we can configure privileges for all servers using one file from a single server. if you want to configure privileges using sudo utility you need to configure on that particular server for the users on that server. If my understanding is correct, I really don't understand configuring host alias in the sudoers file, does hot alias work as access control list or I am completely thinking wrong. can anyone let me know why host alias is used and what is the purpose of using it in sudoers file. Thanks in Advance. Mallesh. ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users ==================================================================================== La version fran?aise suit le texte anglais. ------------------------------------------------------------------------------------ This email may contain privileged and/or confidential information, and the Bank of Canada does not waive any related rights. Any distribution, use, or copying of this email or the information it contains by other than the intended recipient is unauthorized. If you received this email in error please delete it immediately from your system and notify the sender promptly by email that you have done so. ------------------------------------------------------------------------------------ Le pr?sent courriel peut contenir de l'information privil?gi?e ou confidentielle. La Banque du Canada ne renonce pas aux droits qui s'y rapportent. Toute diffusion, utilisation ou copie de ce courriel ou des renseignements qu'il contient par une personne autre que le ou les destinataires d?sign?s est interdite. Si vous recevez ce courriel par erreur, veuillez le supprimer imm?diatement et envoyer sans d?lai ? l'exp?diteur un message ?lectronique pour l'aviser que vous avez ?limin? de votre ordinateur toute copie du courriel re?u. From Todd.Miller at courtesan.com Wed May 5 13:55:27 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 05 May 2010 13:55:27 -0400 Subject: [sudo-users] sudo comment? In-Reply-To: Your message of "Tue, 04 May 2010 10:24:19 EDT." <22D301D9B05B074F900C913A9550E935692BCF@EXMAIL1.bocad.bank-banque-canada.ca> References: <22D301D9B05B074F900C913A9550E935692BCF@EXMAIL1.bocad.bank-banque-canada.ca> Message-ID: <201005051755.o45HtRjJ030579@core.courtesan.com> In message <22D301D9B05B074F900C913A9550E935692BCF at EXMAIL1.bocad.bank-banque-ca nada.ca> so spake "Eurico de Sousa" (edesousa): > Is there any way to have sudo prompt for a comment and have it logged > before using it to become someone else? > > sudo -u other_user command > > Some staff here need to become other users in order to troubleshoot > their problems but there's some audit requirement to log a reason for > doing so (the comment may have to include a ticket number, for example). Sorry, there is not presently a way to do this. - todd From jeff at sdsc.edu Wed May 5 14:06:45 2010 From: jeff at sdsc.edu (Jeff Makey) Date: Wed, 5 May 2010 11:06:45 -0700 Subject: [sudo-users] sudo comment? In-Reply-To: <22D301D9B05B074F900C913A9550E935692BCF@EXMAIL1.bocad.bank-banque-canada.ca> Message-ID: <201005051806.o45I6jbh024589@darwin.sdsc.edu> Something like this will log arbitrary messages from cooperative users of sudo: % sudo echo removing files per ticket 3 % sudo rm -rf * :: Jeff Makey jeff at sdsc.edu From highc at stny.rr.com Wed May 5 17:16:54 2010 From: highc at stny.rr.com (highc at stny.rr.com) Date: Wed, 05 May 2010 17:16:54 -0400 Subject: [sudo-users] Rating a Security alert - problem with negated entries. Message-ID: <4BE1E046.8010907@stny.rr.com> -todd I will say I wasn't aware of the part where the 'double' negation was needed to trigger the bug; however, I suspect that since most of the files our SA's create have some ! applied against ALL entries, that might be enough to trigger it and I simply never noticed. Besides that (which is probably technically correct, I just can't easily verify it), that looks like a great description. Truly appreciated all you and your team does on this project. Thanks, Chris. -- From maniac.nl at gmail.com Wed May 5 18:08:12 2010 From: maniac.nl at gmail.com (Mark Janssen) Date: Thu, 6 May 2010 00:08:12 +0200 Subject: [sudo-users] Query on Host Alias In-Reply-To: <68BDC782617D7B4B8DAC9030A7EDDC6A0141177A@CHVPKNTXC4M.chvpk.chevrontexaco.net> References: <68BDC782617D7B4B8DAC9030A7EDDC6A0141177A@CHVPKNTXC4M.chvpk.chevrontexaco.net> Message-ID: On Wed, May 5, 2010 at 4:05 PM, Ladner, Eric (Eric.Ladner) wrote: > It doesn't have central management, but you can create a single sudoers > file that you can run on multiple computers. ?It makes it easier from an > auditing point of view and you only have one sudoers file to maintain > instead of 20 different ones. > > You've got to sync them between computers yourself, but managing only > one file simplifies things. These days sudo does have a centralized form of configuration... LDAP. But still. It's handy to have 1 config for multiple systems, even if you have to manually distribute it. -- Mark Janssen -- maniac(at)maniac.nl -- pgp: 0x357D2178 | ,''`. | Unix / Linux Open-Source and Internet Consultant @ Snow.nl | : :' : | Maniac.nl MarkJanssen.nl NerdNet.nl Unix.nl | `. `' | Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet | `- | From mail2mallesh at gmail.com Thu May 6 00:36:17 2010 From: mail2mallesh at gmail.com (Malleswar) Date: Thu, 6 May 2010 14:36:17 +1000 Subject: [sudo-users] Query on Host Alias In-Reply-To: <68BDC782617D7B4B8DAC9030A7EDDC6A0141177A@CHVPKNTXC4M.chvpk.chevrontexaco.net> References: <68BDC782617D7B4B8DAC9030A7EDDC6A0141177A@CHVPKNTXC4M.chvpk.chevrontexaco.net> Message-ID: Thanks Guys, I understand this now, we can have single file and push it all systems..this step is not explained in any of the articles found in google... Thanks once again.. Malleswar. On Thu, May 6, 2010 at 12:05 AM, Ladner, Eric (Eric.Ladner) < Eric.Ladner at chevron.com> wrote: > It doesn't have central management, but you can create a single sudoers > file that you can run on multiple computers. It makes it easier from an > auditing point of view and you only have one sudoers file to maintain > instead of 20 different ones. > > You've got to sync them between computers yourself, but managing only > one file simplifies things. > > Eric Ladner > Systems Analyst > eric.ladner at chevron.com > > > > -----Original Message----- > From: sudo-users-bounces at courtesan.com > [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Malleswar > Sent: Monday, May 03, 2010 8:13 AM > To: sudo-users at sudo.ws > Subject: [sudo-users] Query on Host Alias > > Hi Linux Gurus, > > I Have very basic question, Why do we need to configure host alias in > sudoers file. My understanding is Sudo is not a centralised utility > where we > can configure privileges for all servers using one file from a single > server. if you want to configure privileges using sudo utility you need > to > configure on that particular server for the users on that server. > > If my understanding is correct, I really don't understand configuring > host > alias in the sudoers file, does hot alias work as access control list > or I > am completely thinking wrong. > > can anyone let me know why host alias is used and what is the purpose of > using it in sudoers file. > > Thanks in Advance. > Mallesh. > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > -- Thanks & Regards, Malleswar. From Todd.Miller at courtesan.com Thu May 6 10:38:05 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 06 May 2010 10:38:05 -0400 Subject: [sudo-users] Rating a Security alert - problem with negated entries. In-Reply-To: Your message of "Wed, 05 May 2010 17:16:54 EDT." <4BE1E046.8010907@stny.rr.com> References: <4BE1E046.8010907@stny.rr.com> Message-ID: <201005061438.o46Ec5n8023102@core.courtesan.com> In message <4BE1E046.8010907 at stny.rr.com> so spake (highc): > I will say I wasn't aware of the part where the 'double' negation was > needed to trigger the bug; however, I suspect that since most of the > files our SA's create have some ! applied against ALL entries, that > might be enough to trigger it and I simply never noticed. The double negation is not in the sudoers file itself, the code was basically applying the '!' twice in this case which is why the command was allowed. - todd From Eric.Ladner at chevron.com Thu May 6 11:51:22 2010 From: Eric.Ladner at chevron.com (Ladner, Eric (Eric.Ladner)) Date: Thu, 6 May 2010 08:51:22 -0700 Subject: [sudo-users] Query on Host Alias In-Reply-To: References: <68BDC782617D7B4B8DAC9030A7EDDC6A0141177A@CHVPKNTXC4M.chvpk.chevrontexaco.net> Message-ID: <68BDC782617D7B4B8DAC9030A7EDDC6A01411955@CHVPKNTXC4M.chvpk.chevrontexaco.net> True. LDAP is definitely the way to go if you've got that capability. We use Active Directory that's controlled quite tightly at the corporate level, though, and they don't like the UNIX guys making changes to their schema and adding stuff willy-nilly. :( Eric Ladner Systems Analyst eric.ladner at chevron.com -----Original Message----- From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Mark Janssen Sent: Wednesday, May 05, 2010 5:08 PM To: Malleswar Cc: sudo-users at sudo.ws Subject: Re: [sudo-users] Query on Host Alias On Wed, May 5, 2010 at 4:05 PM, Ladner, Eric (Eric.Ladner) wrote: > It doesn't have central management, but you can create a single sudoers > file that you can run on multiple computers. ?It makes it easier from an > auditing point of view and you only have one sudoers file to maintain > instead of 20 different ones. > > You've got to sync them between computers yourself, but managing only > one file simplifies things. These days sudo does have a centralized form of configuration... LDAP. But still. It's handy to have 1 config for multiple systems, even if you have to manually distribute it. -- Mark Janssen -- maniac(at)maniac.nl -- pgp: 0x357D2178 | ,''`. | Unix / Linux Open-Source and Internet Consultant @ Snow.nl | : :' : | Maniac.nl MarkJanssen.nl NerdNet.nl Unix.nl | `. `' | Skype: markmjanssen ICQ: 129696007 irc: FooBar on undernet | `- | ____________________________________________________________ sudo-users mailing list For list information, options, or to unsubscribe, visit: http://www.sudo.ws/mailman/listinfo/sudo-users From michael at potter.name Fri May 14 21:32:24 2010 From: michael at potter.name (Michael Potter) Date: Fri, 14 May 2010 21:32:24 -0400 Subject: [sudo-users] use of sudo with -g option Message-ID: Sudo Crew, I am trying to understand how the -g option works. Here are some of my tests: pottmi:~ pottmi$ id uid=501(pottmi) gid=501(pottmi) groups=501(pottmi),101(com.apple.sharepoint.group.1),204(_developer),100(_lpoperator),98(_lpadmin),81(_appserveradm),80(admin),79(_appserverusr),61(localaccounts),12(everyone),402(com.apple.access_screensharing) pottmi:~ pottmi$ sudo -u root -g everyone id Password: Sorry, user pottmi is not allowed to execute '/usr/bin/id' as root:everyone on pottmi.local. So, I add this rule: pottmi ALL=(root:everyone) /usr/bin/id And try again: pottmi:~ pottmi$ sudo -u root -g everyone id uid=0(root) gid=0(wheel) groups=0(wheel),101(com.apple.sharepoint.group.1),204(_developer),100(_lpoperator),98(_lpadmin),80(admin),61(localaccounts),29(certusers),20(staff),12(everyone),9(procmod),8(procview),5(operator),4(tty),3(sys),2(kmem),1(daemon),402(com.apple.access_screensharing) pottmi:~ pottmi$ sudo -V Sudo version 1.7.0 So, here are my questions: 1) Where is it documented to specify a group in the runas user specification? I did not find it anywhere in doc, I just guessed. 2) Why doesn't the id command report gid=12? [12 is everyone's group id] -- Michael Potter From michael at potter.name Fri May 14 22:19:29 2010 From: michael at potter.name (Michael Potter) Date: Fri, 14 May 2010 22:19:29 -0400 Subject: [sudo-users] use of sudo with -g option In-Reply-To: References: Message-ID: On Fri, May 14, 2010 at 9:32 PM, Michael Potter wrote: > Sudo Crew, > > I am trying to understand how the -g option works. ?Here are some of my tests: > > pottmi:~ pottmi$ id > uid=501(pottmi) gid=501(pottmi) > groups=501(pottmi),101(com.apple.sharepoint.group.1),204(_developer),100(_lpoperator),98(_lpadmin),81(_appserveradm),80(admin),79(_appserverusr),61(localaccounts),12(everyone),402(com.apple.access_screensharing) > pottmi:~ pottmi$ sudo -u root -g everyone id > Password: > Sorry, user pottmi is not allowed to execute '/usr/bin/id' as > root:everyone on pottmi.local. > > > So, I add this rule: > pottmi ?ALL=(root:everyone) /usr/bin/id > > And try again: > pottmi:~ pottmi$ sudo -u root -g everyone id > uid=0(root) gid=0(wheel) > groups=0(wheel),101(com.apple.sharepoint.group.1),204(_developer),100(_lpoperator),98(_lpadmin),80(admin),61(localaccounts),29(certusers),20(staff),12(everyone),9(procmod),8(procview),5(operator),4(tty),3(sys),2(kmem),1(daemon),402(com.apple.access_screensharing) > > pottmi:~ pottmi$ sudo -V > Sudo version 1.7.0 > > So, here are my questions: > 1) Where is it documented to specify a group in the runas user > specification? ?I did not find it anywhere in doc, I just guessed. > > 2) Why doesn't the id command report gid=12? ? ?[12 is everyone's group id] > Regarding #2: I wrote a small C program to dump uid and gid. The C program outputs gid = 12. That got me reading the id man page. The net result of my research is I have to run id like this: pottmi:dumppriv pottmi$ sudo -u pottmi -g everyone id -gr 12 I am on a mac. I would still like an answer on question #1. From eric.freeman at tbwachiat.com Mon May 17 10:35:49 2010 From: eric.freeman at tbwachiat.com (Eric Freeman) Date: Mon, 17 May 2010 10:35:49 -0400 Subject: [sudo-users] SUDO SSL LDAP error Message-ID: I am running RHEN 5.5 I have LDAP authentication working. I am able to ssh into the server with my LDAP credentials. Our LDAP server is set up correctly because we have other systems using SUDO and LDAP working. When I turn off ssl I am able use sudo to authenticate to LDAP and have it work. Please let me know if you need more information. However, when I try to run sudo commands using SSL I get the error. LDAP Config Summary =================== uri ldap://xxxxx ldap_version 3 sudoers_base ou=xxxxxx binddn cn=xxxxxx bindpw xxxxxx timelimit 10 ssl start_tls =================== sudo: ldap_initialize(ld, ldap://xxxxxxx) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: timelimit -> 10 sudo: ldap_start_tls_s(): Connect error more /etc/openldap/ldap.conf BASE o=nam TLS_REQCERT never TLS_CACERTDIR /etc/openldap/cacerts URI ldap://xxxx more /etc/nsswitch.conf sudoers: ldap files more /etc/ldap.conf This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure. Dissemination, distribution or copying of this e-mail or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. All contents are the copyright property of TBWA Worldwide, its agencies or a client of such agencies. If you are not the intended recipient, you are nevertheless bound to respect the worldwide legal rights of TBWA Worldwide, its agencies and its clients. We require that unintended recipients delete the e-mail and destroy all electronic copies in their system, retaining no copies in any media.If you have received this e-mail in error, please immediately notify us via e-mail to disclaimer at tbwaworld.com. We appreciate your cooperation. We make no warranties as to the accuracy or completeness of this e-mail and accept no liability for its content or use. Any opinions expressed in this e-mail are those of the author and do not necessarily reflect the opinions of TBWA Worldwide or any of its agencies or affiliates. From mwlucas at blackhelicopters.org Mon May 17 10:40:01 2010 From: mwlucas at blackhelicopters.org (Michael W. Lucas) Date: Mon, 17 May 2010 10:40:01 -0400 Subject: [sudo-users] SUDO SSL LDAP error In-Reply-To: References: Message-ID: <20100517144001.GA64066@bewilderbeast.blackhelicopters.org> Does ldapsearch (or other LDAP query programs) work with SSL on? When I have this problem, I usually find it's an LDAP config error, not a sudo config error. ==ml On Mon, May 17, 2010 at 10:35:49AM -0400, Eric Freeman wrote: > I am running RHEN 5.5 I have LDAP authentication working. I am able to ssh > into the server with my LDAP credentials. Our LDAP server is set up > correctly because we have other systems using SUDO and LDAP working. > > > When I turn off ssl I am able use sudo to authenticate to LDAP and have it > work. > > Please let me know if you need more information. > > > However, when I try to run sudo commands using SSL I get the error. > > LDAP Config Summary > =================== > uri ldap://xxxxx > ldap_version 3 > sudoers_base ou=xxxxxx > binddn cn=xxxxxx > bindpw xxxxxx > timelimit 10 > ssl start_tls > =================== > sudo: ldap_initialize(ld, ldap://xxxxxxx) > sudo: ldap_set_option: debug -> 0 > sudo: ldap_set_option: ldap_version -> 3 > sudo: ldap_set_option: timelimit -> 10 > sudo: ldap_start_tls_s(): Connect error > > more /etc/openldap/ldap.conf > BASE o=nam > TLS_REQCERT never > TLS_CACERTDIR /etc/openldap/cacerts > > URI ldap://xxxx > > more /etc/nsswitch.conf > sudoers: ldap files > > more /etc/ldap.conf > > > > This e-mail is intended only for the named person or entity to which > it is addressed and contains valuable business information that is > privileged, confidential and/or otherwise protected from disclosure. > Dissemination, distribution or copying of this e-mail or the > information herein by anyone other than the intended recipient, or > an employee or agent responsible for delivering the message to the > intended recipient, is strictly prohibited. All contents are the > copyright property of TBWA Worldwide, its agencies or a client of > such agencies. If you are not the intended recipient, you are > nevertheless bound to respect the worldwide legal rights of TBWA > Worldwide, its agencies and its clients. We require that unintended > recipients delete the e-mail and destroy all electronic copies in > their system, retaining no copies in any media.If you have received > this e-mail in error, please immediately notify us via e-mail to > disclaimer at tbwaworld.com. We appreciate your cooperation. > > We make no warranties as to the accuracy or completeness of this > e-mail and accept no liability for its content or use. Any opinions > expressed in this e-mail are those of the author and do not > necessarily reflect the opinions of TBWA Worldwide or any of its > agencies or affiliates. > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users -- Michael W. Lucas mwlucas at BlackHelicopters.org http://www.MichaelWLucas.com/ New book: Network Flow Analysis pre-order now! http://www.networkflowanalysis.com/ From eric.freeman at tbwachiat.com Mon May 17 14:37:04 2010 From: eric.freeman at tbwachiat.com (Eric Freeman) Date: Mon, 17 May 2010 14:37:04 -0400 Subject: [sudo-users] SUDO SSL LDAP error In-Reply-To: <20100517144001.GA64066@bewilderbeast.blackhelicopters.org> References: <20100517144001.GA64066@bewilderbeast.blackhelicopters.org> Message-ID: Thank you. I found my issue. I needed to add tls_checkpeer no in /etc/ldap.conf On Mon, May 17, 2010 at 10:40 AM, Michael W. Lucas < mwlucas at blackhelicopters.org> wrote: > Does ldapsearch (or other LDAP query programs) work with SSL on? > > When I have this problem, I usually find it's an LDAP config error, > not a sudo config error. > > ==ml > > On Mon, May 17, 2010 at 10:35:49AM -0400, Eric Freeman wrote: > > I am running RHEN 5.5 I have LDAP authentication working. I am able to > ssh > > into the server with my LDAP credentials. Our LDAP server is set up > > correctly because we have other systems using SUDO and LDAP working. > > > > > > When I turn off ssl I am able use sudo to authenticate to LDAP and have > it > > work. > > > > Please let me know if you need more information. > > > > > > However, when I try to run sudo commands using SSL I get the error. > > > > LDAP Config Summary > > =================== > > uri ldap://xxxxx > > ldap_version 3 > > sudoers_base ou=xxxxxx > > binddn cn=xxxxxx > > bindpw xxxxxx > > timelimit 10 > > ssl start_tls > > =================== > > sudo: ldap_initialize(ld, ldap://xxxxxxx) > > sudo: ldap_set_option: debug -> 0 > > sudo: ldap_set_option: ldap_version -> 3 > > sudo: ldap_set_option: timelimit -> 10 > > sudo: ldap_start_tls_s(): Connect error > > > > more /etc/openldap/ldap.conf > > BASE o=nam > > TLS_REQCERT never > > TLS_CACERTDIR /etc/openldap/cacerts > > > > URI ldap://xxxx > > > > more /etc/nsswitch.conf > > sudoers: ldap files > > > > more /etc/ldap.conf > > > > > > > > This e-mail is intended only for the named person or entity to which > > it is addressed and contains valuable business information that is > > privileged, confidential and/or otherwise protected from disclosure. > > Dissemination, distribution or copying of this e-mail or the > > information herein by anyone other than the intended recipient, or > > an employee or agent responsible for delivering the message to the > > intended recipient, is strictly prohibited. All contents are the > > copyright property of TBWA Worldwide, its agencies or a client of > > such agencies. If you are not the intended recipient, you are > > nevertheless bound to respect the worldwide legal rights of TBWA > > Worldwide, its agencies and its clients. We require that unintended > > recipients delete the e-mail and destroy all electronic copies in > > their system, retaining no copies in any media.If you have received > > this e-mail in error, please immediately notify us via e-mail to > > disclaimer at tbwaworld.com. We appreciate your cooperation. > > > > We make no warranties as to the accuracy or completeness of this > > e-mail and accept no liability for its content or use. Any opinions > > expressed in this e-mail are those of the author and do not > > necessarily reflect the opinions of TBWA Worldwide or any of its > > agencies or affiliates. > > ____________________________________________________________ > > sudo-users mailing list > > For list information, options, or to unsubscribe, visit: > > http://www.sudo.ws/mailman/listinfo/sudo-users > > -- > Michael W. Lucas mwlucas at BlackHelicopters.org > http://www.MichaelWLucas.com/ > New book: Network Flow Analysis > pre-order now! http://www.networkflowanalysis.com/ > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users > This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure. Dissemination, distribution or copying of this e-mail or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. All contents are the copyright property of TBWA Worldwide, its agencies or a client of such agencies. If you are not the intended recipient, you are nevertheless bound to respect the worldwide legal rights of TBWA Worldwide, its agencies and its clients. We require that unintended recipients delete the e-mail and destroy all electronic copies in their system, retaining no copies in any media.If you have received this e-mail in error, please immediately notify us via e-mail to disclaimer at tbwaworld.com. We appreciate your cooperation. We make no warranties as to the accuracy or completeness of this e-mail and accept no liability for its content or use. Any opinions expressed in this e-mail are those of the author and do not necessarily reflect the opinions of TBWA Worldwide or any of its agencies or affiliates. From richard at vdberg.org Wed May 19 01:54:24 2010 From: richard at vdberg.org (Richard van den Berg) Date: Wed, 19 May 2010 07:54:24 +0200 Subject: [sudo-users] noexec on Solaris 10 with mixed 32 bit and 64 bit binaries Message-ID: We are running Solaris 10 with sudo compiled in 32 bit. $ file /usr/local/libexec/sudo_noexec.so /usr/local/libexec/sudo_noexec.so: ELF 32-bit MSB dynamic lib SPARC Version 1, dynamically linked, not stripped, no debugging information available $ file /opt/mqm/bin/mqver /opt/mqm/bin/mqver: ELF 64-bit MSB executable SPARCV9 Version 1, dynamically linked, not stripped This results in the following error, when a sudo with the noexec option is used: ld.so.1: mqver: fatal: /usr/local/libexec/sudo_noexec.so: wrong ELF class: ELFCLASS32 Killed I guess building sudo_noexec.so in 64 bit would work, but would give similar issues for 32 bit commands (i.e. all the binaries in /usr/bin). Is there a solution for this? Regards, Richard From richard at vdberg.org Wed May 19 09:12:10 2010 From: richard at vdberg.org (Richard van den Berg) Date: Wed, 19 May 2010 15:12:10 +0200 Subject: [sudo-users] noexec on Solaris 10 with mixed 32 bit and 64 bitbinaries In-Reply-To: <63F73C973E3E4547979026ECC295EF5C026FC87E@rchemxp01.fnc.net.local> References: <63F73C973E3E4547979026ECC295EF5C026FC87E@rchemxp01.fnc.net.local> Message-ID: On Wed, 19 May 2010 07:54:34 -0500, "Stier, Matthew" wrote: > Read the ld.so.1 manpage. It covers runtime linking, which is what you > are discussing here. > > The runtime linker (/lib/ld.so.1) expects the 32 bit library in the > specified directory (ie: /usr/local/libexec) and the 64 bit library in a > subdirectory of the specified directory named '64' (ie: > /usr/local/libexec/64) Thanks for your suggestion. I don't think this works with LD_PRELOAD. Sudo sets LD_PRELOAD to /usr/local/libexec/sudo_noexec.so which is the full path including the shared library. I don't think the dynamic linker will magically change this to /usr/local/libexec/64/sudo_noexec.so for 64 bit linking. Regards, Richard From richard at vdberg.org Wed May 19 09:32:07 2010 From: richard at vdberg.org (Richard van den Berg) Date: Wed, 19 May 2010 15:32:07 +0200 Subject: [sudo-users] noexec on Solaris 10 with mixed 32 bit and 64 bitbinaries In-Reply-To: References: <63F73C973E3E4547979026ECC295EF5C026FC87E@rchemxp01.fnc.net.local> Message-ID: On Wed, 19 May 2010 15:12:10 +0200, Richard van den Berg wrote: > Thanks for your suggestion. I don't think this works with LD_PRELOAD. Sudo > sets LD_PRELOAD to /usr/local/libexec/sudo_noexec.so which is the full path > including the shared library. I don't think the dynamic linker will > magically change this to /usr/local/libexec/64/sudo_noexec.so for 64 bit > linking. After some digging I found that LD_PRELOAD_32 and LD_PRELOAD_64 should be used instead of LD_PRELOAD in the case both 32 and 64 bit executables are present. IMHO sudo should support this. I can probably write a patch for env.c myself, but I'll need some help getting the autoconf scripts to compile both 32 and 64 bit versions of sudo_noexec.so on 64 bit capable systems. Regards, Richard From Todd.Miller at courtesan.com Wed May 19 10:19:46 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Wed, 19 May 2010 10:19:46 -0400 Subject: [sudo-users] noexec on Solaris 10 with mixed 32 bit and 64 bitbinaries In-Reply-To: Your message of "Wed, 19 May 2010 15:32:07 +0200." References: <63F73C973E3E4547979026ECC295EF5C026FC87E@rchemxp01.fnc.net.local> Message-ID: <201005191419.o4JEJkBg000795@core.courtesan.com> In message so spake Richard van den Berg (richard): > After some digging I found that LD_PRELOAD_32 and LD_PRELOAD_64 should be > used instead of LD_PRELOAD in the case both 32 and 64 bit executables are > present. > > IMHO sudo should support this. I can probably write a patch for env.c > myself, but I'll need some help getting the autoconf scripts to compile > both 32 and 64 bit versions of sudo_noexec.so on 64 bit capable systems. The tricky part is getting libtool to build the 32 and 64 bit versions of sudo_noexec.so. I never found a way to get it to do that but perhaps newer versions of libtool are more capable. - todd From Todd.Miller at courtesan.com Thu May 20 09:53:05 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 20 May 2010 09:53:05 -0400 Subject: [sudo-users] use of sudo with -g option In-Reply-To: Your message of "Fri, 14 May 2010 21:32:24 EDT." References: Message-ID: <201005201353.o4KDr5b7028239@core.courtesan.com> There were bugs in the -g support in sudo 1.7.0 that have since been fixed. Specifically, sudo 1.7.0 would set the real gid to the value specified via -g but not the effective gid. As for documentation, see the Runas_Spec section of the sudoers manual. Here's the relevant portion: A Runas_Spec determines the user and/or the group that a command may be run as. A fully-specified Runas_Spec consists of two Runas_Lists (as defined above) separated by a colon (':') and enclosed in a set of parentheses. The first Runas_List indicates which users the command may be run as via sudo's -u option. The second defines a list of groups that can be specified via sudo's -g option. If both Runas_Lists are specified, the command may be run with any combination of users and groups listed in their respective Runas_Lists. If only the first is specified, the command may be run as any user in the list but no -g option may be specified. If the first Runas_List is empty but the second is specified, the command may be run as the invoking user with the group set to any listed in the Runas_List. If no Runas_Spec is specified the command may be run as root and no group may be specified. - todd From TFicarra at BNCOLLEGE.com Thu May 20 17:13:32 2010 From: TFicarra at BNCOLLEGE.com (TFicarra at BNCOLLEGE.com) Date: Thu, 20 May 2010 17:13:32 -0400 Subject: [sudo-users] Current administration requires that a unique instance of the package be created. Message-ID: Installed Sudo x86 version on Sunfire T2000 /64-bit amd64 kernel modules with the following packages, receive the following when running a pkgadd on -rw-r--r-- 1 root root 1862656 Jan 7 21:38 libgcc-3.4.6-sol10-x86-local -rw-r--r-- 1 root root 2295296 Jan 7 21:38 libiconv-1.11-sol10-x86-local -rw-r--r-- 1 root root 327168 Jan 7 21:41 libintl-3.4.0-sol10-x86-local # pkgadd -d libgcc-3.4.6-sol10-x86-local The following packages are available: 1 SMClgcc346 libgcc (x86) 3.4.6 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: all Processing package instance from libgcc(x86) 3.4.6 Current administration requires that a unique instance of the package be created. However, the maximum number of instances of the package which may be supported at one time on the same system has already been met. No changes were made to the system. Also when I try to visudo I receive an error wrong ELF data format please advise.................. # ./visudo ld.so.1: visudo: fatal: /usr/local/lib/libintl.so.8: wrong ELF data format: ELFDATA2MSB Killed w-r--r-- 1 root root 1130496 Jan 7 21:33 sudo-1.7.2p1-sol10-x86-local -rw-r--r-- 1 root root 1862656 Jan 7 21:38 libgcc-3.4.6-sol10-x86-local -rw-r--r-- 1 root root 2295296 Jan 7 21:38 libiconv-1.11-sol10-x86-local -rw-r--r-- 1 root root 327168 Jan 7 21:41 libintl-3.4.0-sol10-x86-local _________________________________ Thanks. Tom I ______________________________________________________________________ This message and any files transmitted with it may contain confidential or privileged information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; and do not disclose, copy or distribute it. Delete this message and any attachments from your system. ______________________________________________________________________ From jr.aquino at citrixonline.com Tue May 25 17:07:12 2010 From: jr.aquino at citrixonline.com (Jr Aquino) Date: Tue, 25 May 2010 14:07:12 -0700 Subject: [sudo-users] sudo + ldap - nisNetgroupTriple Message-ID: <90176B60-A592-4FF2-8BA7-7C5B74B41415@citrixonline.com> I am writing the mailing list in hopes that someone has information regarding the use of sudo for 'hostgroups' without having to use the nisNetgroupTriple attributes. I would like to be able to utilize sudo with ldap entries that sanely list the hostnames under a 'host:' attribute ideally. I've spoken to several of the nss_ldap developers and they have strongly cautioned me against leveraging nisNetgroup's for storing my hosts because of various rfc schema enforcements present in various ldap server implementations. (Not being able to modify/add/remove a nisNetgroupTriple without fully removing and readding all nisNetgroupTriple's from an object being one of the major disadvantages...) Can anyone on the sudo list answer this question? I'd like to know if I would have to go down the path of modifying the sudo source in order for sudo to support a more general sense of hostgroup similar to its support of 'usergroups' not requring the nis components. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Jr Aquino | Information Security Specialist Citrix Online Division Citrix Systems, Inc. 7408 Hollister Avenue Goleta, CA 93117 USA www.citrixonline.com Desk: 805-690-3478 Email: jr.aquino at citrixonline.com www.gotomypc.com | Access Your PC from Anywhere www.gotomeeting.com | Online Meetings Made Easy www.gotoassist.com | Remote Support Made Easy From JR.Aquino at citrixonline.com Tue May 25 17:58:14 2010 From: JR.Aquino at citrixonline.com (Jr Aquino) Date: Tue, 25 May 2010 14:58:14 -0700 Subject: [sudo-users] sudo + ldap - nisNetgroupTriple In-Reply-To: <4BFC450A.7060807@mayo.edu> References: <90176B60-A592-4FF2-8BA7-7C5B74B41415@citrixonline.com> <4BFC450A.7060807@mayo.edu> Message-ID: 4.6. Modify Operation ... If an equality match filter has not been defined for an attribute type, clients MUST NOT attempt to delete individual values of that attribute from an entry using the "delete" form of a modification, and MUST instead use the "replace" form. ... OpenLDAP's slapd enforces analogous limitations on add because in absence of an equality rule there's no way to determine whether a new value is duplicate or not. you end up needing to delete all the values of that attribute and add the new set because in the absence of a matching rule there is no way to perform a "delete" on a single value; see RFC2251: On May 25, 2010, at 2:45 PM, Patrick Spinler wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jr Aquino wrote: >> I am writing the mailing list in hopes that someone has information >> regarding the use of sudo for 'hostgroups' without having to use the >> nisNetgroupTriple attributes. >> >> I would like to be able to utilize sudo with ldap entries that sanely >> list the hostnames under a 'host:' attribute ideally. >> >> I've spoken to several of the nss_ldap developers and they have >> strongly cautioned me against leveraging nisNetgroup's for storing my >> hosts because of various rfc schema enforcements present in various >> ldap server implementations. (Not being able to modify/add/remove a >> nisNetgroupTriple without fully removing and readding all >> nisNetgroupTriple's from an object being one of the major >> disadvantages...) > > For what it's worth, I got no clue what they're talking about, unless > it's some weird ldap server specific thing. > > I've used nisNetGroup style hostgroups & sudo successfully with both > openldap and sun dsee ldap server without issue, including liberally > adding modifying and removing nisnetgrouptriples containing host (and > user) attributes. > > - -- Pat > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkv8RQoACgkQNObCqA8uBswowACfaLmB8KpDZ5VtO6SJP3l/iQZc > wPMAnjTqS5HcQsKaV0wWiYV3/juuGTo3 > =ssaq > -----END PGP SIGNATURE----- From spinler.patrick at mayo.edu Tue May 25 17:45:46 2010 From: spinler.patrick at mayo.edu (Patrick Spinler) Date: Tue, 25 May 2010 16:45:46 -0500 Subject: [sudo-users] sudo + ldap - nisNetgroupTriple In-Reply-To: <90176B60-A592-4FF2-8BA7-7C5B74B41415@citrixonline.com> References: <90176B60-A592-4FF2-8BA7-7C5B74B41415@citrixonline.com> Message-ID: <4BFC450A.7060807@mayo.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jr Aquino wrote: > I am writing the mailing list in hopes that someone has information > regarding the use of sudo for 'hostgroups' without having to use the > nisNetgroupTriple attributes. > > I would like to be able to utilize sudo with ldap entries that sanely > list the hostnames under a 'host:' attribute ideally. > > I've spoken to several of the nss_ldap developers and they have > strongly cautioned me against leveraging nisNetgroup's for storing my > hosts because of various rfc schema enforcements present in various > ldap server implementations. (Not being able to modify/add/remove a > nisNetgroupTriple without fully removing and readding all > nisNetgroupTriple's from an object being one of the major > disadvantages...) For what it's worth, I got no clue what they're talking about, unless it's some weird ldap server specific thing. I've used nisNetGroup style hostgroups & sudo successfully with both openldap and sun dsee ldap server without issue, including liberally adding modifying and removing nisnetgrouptriples containing host (and user) attributes. - -- Pat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkv8RQoACgkQNObCqA8uBswowACfaLmB8KpDZ5VtO6SJP3l/iQZc wPMAnjTqS5HcQsKaV0wWiYV3/juuGTo3 =ssaq -----END PGP SIGNATURE----- From spinler.patrick at mayo.edu Tue May 25 22:48:21 2010 From: spinler.patrick at mayo.edu (Patrick Spinler) Date: Tue, 25 May 2010 21:48:21 -0500 Subject: [sudo-users] sudo + ldap - nisNetgroupTriple In-Reply-To: References: <90176B60-A592-4FF2-8BA7-7C5B74B41415@citrixonline.com> <4BFC450A.7060807@mayo.edu> Message-ID: <4BFC8BF5.8060504@mayo.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I just now checked my Sun DSEE LDAP (which is our current production system) and a nisNetgroupTriple is defined as an object type oid 1.3.6.1.4.1.1466.115.121.1.26, which is an IA5String. As far as I know, IA5String has equality matching, so, this shouldn't be an issue. Of course, your milage may vary, depending on what your server does. However, even if your server does something weird, so what? Override the definition of nisNetgroupTriple and give it a more sane object type. Doing user defined schema is actually quite easy in most LDAP servers I'm aware of. - -- Pat Jr Aquino wrote: > 4.6. Modify Operation ... If an equality match filter has not been > defined for an attribute type, clients MUST NOT attempt to delete > individual values of that attribute from an entry using the "delete" > form of a modification, and MUST instead use the "replace" form. ... > OpenLDAP's slapd enforces analogous limitations on add because in > absence of an equality rule there's no way to determine whether a new > value is duplicate or not. > you end up needing to delete all the values of that attribute and add > the new set because in the absence of a matching rule there is no way to > perform a "delete" on a single value; see RFC2251: > > On May 25, 2010, at 2:45 PM, Patrick Spinler wrote: > > Jr Aquino wrote: >>>> I am writing the mailing list in hopes that someone has information >>>> regarding the use of sudo for 'hostgroups' without having to use the >>>> nisNetgroupTriple attributes. >>>> >>>> I would like to be able to utilize sudo with ldap entries that sanely >>>> list the hostnames under a 'host:' attribute ideally. >>>> >>>> I've spoken to several of the nss_ldap developers and they have >>>> strongly cautioned me against leveraging nisNetgroup's for storing my >>>> hosts because of various rfc schema enforcements present in various >>>> ldap server implementations. (Not being able to modify/add/remove a >>>> nisNetgroupTriple without fully removing and readding all >>>> nisNetgroupTriple's from an object being one of the major >>>> disadvantages...) > > For what it's worth, I got no clue what they're talking about, unless > it's some weird ldap server specific thing. > > I've used nisNetGroup style hostgroups & sudo successfully with both > openldap and sun dsee ldap server without issue, including liberally > adding modifying and removing nisnetgrouptriples containing host (and > user) attributes. > > -- Pat > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkv8i/UACgkQNObCqA8uBsx1nQCfXHvUwN9kM4z94JI/eNpA+Akw 8IsAn1+MQwOeF2PcsCCdEjWxg0z5IfPl =8nUI -----END PGP SIGNATURE----- From JR.Aquino at citrixonline.com Wed May 26 10:16:08 2010 From: JR.Aquino at citrixonline.com (Jr Aquino) Date: Wed, 26 May 2010 07:16:08 -0700 Subject: [sudo-users] sudo + ldap - nisNetgroupTriple In-Reply-To: <4BFC8BF5.8060504@mayo.edu> References: <90176B60-A592-4FF2-8BA7-7C5B74B41415@citrixonline.com> <4BFC450A.7060807@mayo.edu> <4BFC8BF5.8060504@mayo.edu> Message-ID: I guess I should have been more clear to start. I have written a method of role based authorization control for pam and am working with the pam_ldap groups to have it committed into their main branch. As such, I'd like to have a list of hosts that both sudo and pam_ldap can look to without having to duplicate the same data in 2 different formats. Symas and PADL have expressed a desire not to perpetuate the use of NIS in favor of a more pure ldap object for strict RFC reasons. Either way, I am indifferent so long as both sudo and pam_ldap can play nice together without the duplication of data. So that either means pam_ldap must be able to utilize nisNetgroup's or that sudo must be able to use a groupOfNames type object. I was hoping that sudo already supported an alternative to nis out of the box. It sounds like the answer is no. -Jr On May 25, 2010, at 7:48 PM, Patrick Spinler wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > I just now checked my Sun DSEE LDAP (which is our current production > system) and a nisNetgroupTriple is defined as an object type oid > 1.3.6.1.4.1.1466.115.121.1.26, which is an IA5String. > > As far as I know, IA5String has equality matching, so, this > shouldn't be > an issue. Of course, your milage may vary, depending on what your > server does. > > However, even if your server does something weird, so what? Override > the definition of nisNetgroupTriple and give it a more sane object > type. > Doing user defined schema is actually quite easy in most LDAP servers > I'm aware of. > > - -- Pat > > Jr Aquino wrote: >> 4.6. Modify Operation ... If an equality match filter has not been >> defined for an attribute type, clients MUST NOT attempt to delete >> individual values of that attribute from an entry using the "delete" >> form of a modification, and MUST instead use the "replace" form. ... >> OpenLDAP's slapd enforces analogous limitations on add because in >> absence of an equality rule there's no way to determine whether a new >> value is duplicate or not. >> you end up needing to delete all the values of that attribute and add >> the new set because in the absence of a matching rule there is no >> way to >> perform a "delete" on a single value; see RFC2251: >> >> On May 25, 2010, at 2:45 PM, Patrick Spinler wrote: >> >> Jr Aquino wrote: >>>>> I am writing the mailing list in hopes that someone has >>>>> information >>>>> regarding the use of sudo for 'hostgroups' without having to use >>>>> the >>>>> nisNetgroupTriple attributes. >>>>> >>>>> I would like to be able to utilize sudo with ldap entries that >>>>> sanely >>>>> list the hostnames under a 'host:' attribute ideally. >>>>> >>>>> I've spoken to several of the nss_ldap developers and they have >>>>> strongly cautioned me against leveraging nisNetgroup's for >>>>> storing my >>>>> hosts because of various rfc schema enforcements present in >>>>> various >>>>> ldap server implementations. (Not being able to modify/add/ >>>>> remove a >>>>> nisNetgroupTriple without fully removing and readding all >>>>> nisNetgroupTriple's from an object being one of the major >>>>> disadvantages...) >> >> For what it's worth, I got no clue what they're talking about, unless >> it's some weird ldap server specific thing. >> >> I've used nisNetGroup style hostgroups & sudo successfully with both >> openldap and sun dsee ldap server without issue, including liberally >> adding modifying and removing nisnetgrouptriples containing host (and >> user) attributes. >> >> -- Pat >> > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkv8i/UACgkQNObCqA8uBsx1nQCfXHvUwN9kM4z94JI/eNpA+Akw > 8IsAn1+MQwOeF2PcsCCdEjWxg0z5IfPl > =8nUI > -----END PGP SIGNATURE----- From spinler.patrick at mayo.edu Wed May 26 10:51:36 2010 From: spinler.patrick at mayo.edu (Patrick Spinler) Date: Wed, 26 May 2010 09:51:36 -0500 Subject: [sudo-users] Offtopic: Re: sudo + ldap - nisNetgroupTriple In-Reply-To: References: <90176B60-A592-4FF2-8BA7-7C5B74B41415@citrixonline.com> <4BFC450A.7060807@mayo.edu> <4BFC8BF5.8060504@mayo.edu> Message-ID: <4BFD3578.8030307@mayo.edu> On 05/26/2010 09:16 AM, Jr Aquino wrote: > As such, I'd like to have a list of hosts that both sudo and pam_ldap > can look to without having to duplicate the same data in 2 different > formats. Here's where I'd urge you to give careful consideration to your approach. You're talking about using the same object type for semantically different purposes, and in fact to contain different objects. *) A group of hosts for use in sudo rules *) A group of users for use in sudo rules *) A group of users to provision to a host In fact, these are all different, and *should* be represented differently in your repository. We do something like this: auth_ - a list of people provisioned to a host sudo_ - a list of people granted a specific sudo command hgrp_ - a list of hosts Even in the first two instances, provisioning v. sudo, I *want* to keep these separate. For example, when an intern joins our unix team for a summer assignment, I probably want to allow that intern to log into our machines so she can e.g. gather configuration info, but I probably don't want to grant that intern the full sudo rights I give normal unix admins. -- Pat From JR.Aquino at citrixonline.com Wed May 26 11:28:16 2010 From: JR.Aquino at citrixonline.com (Jr Aquino) Date: Wed, 26 May 2010 08:28:16 -0700 Subject: [sudo-users] Offtopic: Re: sudo + ldap - nisNetgroupTriple In-Reply-To: <4BFD3578.8030307@mayo.edu> References: <90176B60-A592-4FF2-8BA7-7C5B74B41415@citrixonline.com> <4BFC450A.7060807@mayo.edu> <4BFC8BF5.8060504@mayo.edu> <4BFD3578.8030307@mayo.edu> Message-ID: <06465F3D-EEF9-4B44-BBE5-43B828806547@citrixonline.com> Right, thats why I said role based access. the sudo role can contain: sudorole: sudoUser: %someusergroup userGroup: someusergroup sudoHost: +somehostgroup hostGroup: somehostgroup hostGroup: nosudohostgroup sudoCommand: ALL someusergroup: memberUid: username somehostgroup: host: hosta host: hostb host: hostc nosudohostgroup: host: hostd host: hoste host: hostf I am not suggesting that the hostgroups or usergroups as they are represented in the role should double as both login and escalation rights. I define those separately with sudoHost vs hostGroup and sudoUser vs userGroup. However I DO want to utilize the same sets of hostgroups / usergroups as they are static containers that define groups of hosts or users. In this demonstration, username has login and sudo access to hosta, hostb, hostc, but it _only_ has login access to hostd, hoste, hostf. Does this help ease the confusion? On May 26, 2010, at 7:51 AM, Patrick Spinler wrote: > On 05/26/2010 09:16 AM, Jr Aquino wrote: > >> As such, I'd like to have a list of hosts that both sudo and pam_ldap >> can look to without having to duplicate the same data in 2 different >> formats. > > Here's where I'd urge you to give careful consideration to your > approach. You're talking about using the same object type for > semantically different purposes, and in fact to contain different > objects. > > *) A group of hosts for use in sudo rules > *) A group of users for use in sudo rules > *) A group of users to provision to a host > > In fact, these are all different, and *should* be represented > differently in your repository. We do something like this: > > auth_ - a list of people provisioned to a host > sudo_ - a list of people granted a specific sudo command > hgrp_ - a list of hosts > > Even in the first two instances, provisioning v. sudo, I *want* to > keep > these separate. For example, when an intern joins our unix team for a > summer assignment, I probably want to allow that intern to log into > our > machines so she can e.g. gather configuration info, but I probably > don't > want to grant that intern the full sudo rights I give normal unix > admins. > > -- Pat From eric.freeman at tbwachiat.com Thu May 27 12:12:26 2010 From: eric.freeman at tbwachiat.com (Eric Freeman) Date: Thu, 27 May 2010 12:12:26 -0400 Subject: [sudo-users] Help needed with sudo ssl and HPUX Message-ID: I am running sudo 1.7.2 on HP-UX 11.11. Sudo works when not using SSL but when using SSL it fails. The odd thing is it works on another HP-UX machine and the same version of sudo. I have also copied the /etc/ldap.conf file from the working machine to the non working machine. When I am root and type sudo -v it appears to talk SSL but a regular user fails. The regular user also fails SSL when issuing a sudo command with an actual command. Thank you. Below is the error and one that worked with root: $ sudo lastb LDAP Config Summary =================== uri ldap://10.20.2.165 ldap_version 3 sudoers_base ou=xxxxxxx binddn cn=xxxxxx bindpw xxxxx bind_timelimit 30000 timelimit 30 ssl start_tls tls_checkpeer (no) =================== sudo: ldap_initialize(ld, ldap://10.20.2.165) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_checkpeer -> 0 sudo: ldap_set_option: timelimit -> 30 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30) sudo: ldap_start_tls_s(): Connect error Working with root: dbtest:/ # sudo -v LDAP Config Summary =================== uri ldap://10.20.2.165 ldap_version 3 sudoers_base ou=xxxxx binddn cn=xxxxx bindpw xxxx bind_timelimit 30000 timelimit 30 ssl off tls_checkpeer (no) =================== sudo: ldap_initialize(ld, ldap://10.20.2.165) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_checkpeer -> 0 sudo: ldap_set_option: timelimit -> 30 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30) sudo: ldap_sasl_bind_s() ok sudo: found:cn=defaults,ou=SUDOersDBTEST,ou=SUDOers,ou=Services,o=NAM sudo: ldap sudoOption: 'logfile=/var/adm/syslog/sudo.ldap.log' sudo: ldap sudoOption: 'log_year' sudo: user_matches=0 sudo: host_matches=0 sudo: sudo_ldap_lookup(53)=0x82 $ more /etc/ldap.conf uri ldap://10.20.2.165 ssl start_tls TLS_CHECKPEER off sudoers_base ou=xxxxx BINDDN cn=xxxx BINDPW xxxx timelimit 30 bind_timelimit 30 TLS_REQCERT never sudoers_debug 2 This e-mail is intended only for the named person or entity to which it is addressed and contains valuable business information that is privileged, confidential and/or otherwise protected from disclosure. Dissemination, distribution or copying of this e-mail or the information herein by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. All contents are the copyright property of TBWA Worldwide, its agencies or a client of such agencies. If you are not the intended recipient, you are nevertheless bound to respect the worldwide legal rights of TBWA Worldwide, its agencies and its clients. We require that unintended recipients delete the e-mail and destroy all electronic copies in their system, retaining no copies in any media.If you have received this e-mail in error, please immediately notify us via e-mail to disclaimer at tbwaworld.com. We appreciate your cooperation. We make no warranties as to the accuracy or completeness of this e-mail and accept no liability for its content or use. Any opinions expressed in this e-mail are those of the author and do not necessarily reflect the opinions of TBWA Worldwide or any of its agencies or affiliates. From Todd.Miller at courtesan.com Fri May 28 17:46:12 2010 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Fri, 28 May 2010 17:46:12 -0400 Subject: [sudo-users] Help needed with sudo ssl and HPUX In-Reply-To: Your message of "Thu, 27 May 2010 12:12:26 EDT." References: Message-ID: <201005282146.o4SLkCRI030190@core.courtesan.com> Hmm, in your working example, ssl=off whereas in the non-working, ssl=start_tls. Does your ldap server support ldaps (SSL over port 636)? If so, does that work? - todd In message so spake Eric Freeman (eric.freeman): > I am running sudo 1.7.2 on HP-UX 11.11. Sudo works when not using SSL but > when using SSL it fails. The odd thing is it works on another HP-UX machine > and the same version of sudo. I have also copied the /etc/ldap.conf file > from the working machine to the non working machine. > > When I am root and type sudo -v it appears to talk SSL but a regular user > fails. The regular user also fails SSL when issuing a sudo command with an > actual command. > > > Thank you. > Below is the error and one that worked with root: > > $ sudo lastb > LDAP Config Summary > =================== > uri ldap://10.20.2.165 > ldap_version 3 > sudoers_base ou=xxxxxxx > binddn cn=xxxxxx > bindpw xxxxx > bind_timelimit 30000 > timelimit 30 > ssl start_tls > tls_checkpeer (no) > =================== > sudo: ldap_initialize(ld, ldap://10.20.2.165) > sudo: ldap_set_option: debug -> 0 > sudo: ldap_set_option: ldap_version -> 3 > sudo: ldap_set_option: tls_checkpeer -> 0 > sudo: ldap_set_option: timelimit -> 30 > sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30) > > sudo: ldap_start_tls_s(): Connect error > > > > Working with root: > > dbtest:/ # sudo -v > LDAP Config Summary > =================== > uri ldap://10.20.2.165 > ldap_version 3 > sudoers_base ou=xxxxx > binddn cn=xxxxx > bindpw xxxx > bind_timelimit 30000 > timelimit 30 > ssl off > tls_checkpeer (no) > =================== > sudo: ldap_initialize(ld, ldap://10.20.2.165) > sudo: ldap_set_option: debug -> 0 > sudo: ldap_set_option: ldap_version -> 3 > sudo: ldap_set_option: tls_checkpeer -> 0 > sudo: ldap_set_option: timelimit -> 30 > sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 30) > > sudo: ldap_sasl_bind_s() ok > sudo: found:cn=defaults,ou=SUDOersDBTEST,ou=SUDOers,ou=Services,o=NAM > sudo: ldap sudoOption: 'logfile=/var/adm/syslog/sudo.ldap.log' > sudo: ldap sudoOption: 'log_year' > sudo: user_matches=0 > sudo: host_matches=0 > sudo: sudo_ldap_lookup(53)=0x82 > > > $ more /etc/ldap.conf > uri ldap://10.20.2.165 > ssl start_tls > TLS_CHECKPEER off > sudoers_base ou=xxxxx > BINDDN cn=xxxx > BINDPW xxxx > timelimit 30 > bind_timelimit 30 > TLS_REQCERT never > sudoers_debug 2 > > > > This e-mail is intended only for the named person or entity to which > it is addressed and contains valuable business information that is > privileged, confidential and/or otherwise protected from disclosure. > Dissemination, distribution or copying of this e-mail or the > information herein by anyone other than the intended recipient, or > an employee or agent responsible for delivering the message to the > intended recipient, is strictly prohibited. All contents are the > copyright property of TBWA Worldwide, its agencies or a client of > such agencies. If you are not the intended recipient, you are > nevertheless bound to respect the worldwide legal rights of TBWA > Worldwide, its agencies and its clients. We require that unintended > recipients delete the e-mail and destroy all electronic copies in > their system, retaining no copies in any media.If you have received > this e-mail in error, please immediately notify us via e-mail to > disclaimer at tbwaworld.com. We appreciate your cooperation. > > We make no warranties as to the accuracy or completeness of this > e-mail and accept no liability for its content or use. Any opinions > expressed in this e-mail are those of the author and do not > necessarily reflect the opinions of TBWA Worldwide or any of its > agencies or affiliates. > ____________________________________________________________ > sudo-users mailing list > For list information, options, or to unsubscribe, visit: > http://www.sudo.ws/mailman/listinfo/sudo-users >