[sudo-users] sudo ldap and local sudoers messy situation

[Onur Yalazı]

On 12/30/2012 09:46 PM, Todd C. Miller wrote:
>
> What version of sudo are you running?  I'm unable to reproduce this
> on Ubuntu 12.04 with the Ubuntu sudo-ldap 1.8.3p1 package.
I normally use 1.8.3p1. But I've upgraded it to quatzal's 
1.8.5p2-1ubuntu1 package to have sudo debugging.

>
> $ grep sudoers /etc/nsswitch.conf
> sudoers:	ldap files
>
> I created a local test user with sudoers permission in /etc/sudoers
>
> # su testuser
> $ sudo -ll
> Matching Defaults entries for testuser on this host:
>      env_reset,
>      secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
>      log_output,
>
> Runas and Command-specific defaults for testuser:
>      Defaults!/usr/bin/sudoreplay !log_output
>
> User testuser may run the following commands on this host:
>
> Sudoers entry:
>      RunAsUsers: root
>      Commands:
> 	ALL
>
> $ sudo id
> uid=0(root) gid=0(root) groups=0(root)
>
> Can you show the output of "sudo -ll" run by sysbot?  It looks like
> the stay_setuid option might be set in sudoers, though I would expect
> that to affect the ldap case too.
You are right about the stay_setuid option. Even thoug I do not have it 
in sudoers file, it gets set.

sysbots sudo -ll output:

Matching Defaults entries for sysbot on this host:
     env_reset, mail_badpass, 
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, 
tty_tickets, mail_always, preserve_groups, set_logname, stay_setuid, 
noexec, insults

User sysbot may run the following commands on this host:

Sudoers entry:
     RunAsUsers: ALL
     Commands:
     NOPASSWD: ALL


After all this I figured out, the problem is sudo is using sudo default 
options from sudoers ldap defaults entry and it has set_setuid option 
set. I was ignoring ldap sudoers but sudo is not. After I removed this 
option everything  falled in place.
>   - todd
Thank you and Happy new year!