[sudo-users] sudo ldap and local sudoers messy situation
Onur Yalazı
onuryalazi at mersin.edu.tr
Mon Dec 31 02:09:02 EST 2012
On 12/30/2012 09:46 PM, Todd C. Miller wrote:
>
> What version of sudo are you running? I'm unable to reproduce this
> on Ubuntu 12.04 with the Ubuntu sudo-ldap 1.8.3p1 package.
I normally use 1.8.3p1. But I've upgraded it to quatzal's
1.8.5p2-1ubuntu1 package to have sudo debugging.
>
> $ grep sudoers /etc/nsswitch.conf
> sudoers: ldap files
>
> I created a local test user with sudoers permission in /etc/sudoers
>
> # su testuser
> $ sudo -ll
> Matching Defaults entries for testuser on this host:
> env_reset,
> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
> log_output,
>
> Runas and Command-specific defaults for testuser:
> Defaults!/usr/bin/sudoreplay !log_output
>
> User testuser may run the following commands on this host:
>
> Sudoers entry:
> RunAsUsers: root
> Commands:
> ALL
>
> $ sudo id
> uid=0(root) gid=0(root) groups=0(root)
>
> Can you show the output of "sudo -ll" run by sysbot? It looks like
> the stay_setuid option might be set in sudoers, though I would expect
> that to affect the ldap case too.
You are right about the stay_setuid option. Even thoug I do not have it
in sudoers file, it gets set.
sysbots sudo -ll output:
Matching Defaults entries for sysbot on this host:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
tty_tickets, mail_always, preserve_groups, set_logname, stay_setuid,
noexec, insults
User sysbot may run the following commands on this host:
Sudoers entry:
RunAsUsers: ALL
Commands:
NOPASSWD: ALL
After all this I figured out, the problem is sudo is using sudo default
options from sudoers ldap defaults entry and it has set_setuid option
set. I was ignoring ldap sudoers but sudo is not. After I removed this
option everything falled in place.
> - todd
Thank you and Happy new year!
More information about the sudo-users
mailing list