[sudo-users] sudoHost matches regardless of netgroup membership
Wick, Samson
SWick at west.com
Thu Oct 18 12:16:26 EDT 2012
I'm using the 389-ds LDAP directory server for SUDO. I'm using NIS-style netgroups (also in LDAP) to for the sudoHost and sudoUser attributes of my SUDO roles. My clients are all Red Hat Enterprise Linux - everything from 4.6 through 6.3.
In testing, I have noticed that SUDO does not evaluate the netgroup specified in sudoHost to verify that the present host is actually a member of the netgroup. It seems that if the netgroup has any member of any kind, sudoHost will match.
This behavior has been observed in 1.8.6-4, 1.7.10-4, and 1.7.4p5 (and several in-between).
I have a rather large environment to manage and I'm hoping that I'm just doing something wrong. I've provided as much detail below as I could think of, but please let me know if I'm doing something wrong.
This is how I have everything set up:
SUDO ROLE:
------------------------------------------------------------------
[swick at swtest-5864p ~]$ ldapsearch -x "(cn=Test_role)"
# extended LDIF
#
# LDAPv3
# base <dc=ds,dc=company,dc=com> (default) with scope subtree
# filter: (cn=Test_role)
# requesting: ALL
#
# Test_role, SUDOers, ds.company.com
dn: cn=Test_role,ou=SUDOers,dc=ds,dc=company,dc=com
sudoHost: +Test_hosts
description: Test role for people who can't read good and want to learn how to
do other stuff good too
sudoOption: !authenticate
sudoOption: noexec
sudoCommand: ALL
sudoCommand: !/bin/su
sudoCommand: !/usr/bin/chattr * /etc/passwd
sudoCommand: !/usr/bin/chattr * /etc/security/access.conf
sudoCommand: !/usr/bin/chattr * /etc/nsswitch.conf
sudoCommand: !/bin/sh
sudoCommand: !/bin/ksh
sudoCommand: !/bin/bash
sudoUser: +Test_users
objectClass: top
objectClass: sudorole
cn: Test_role
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
-----------------------
"Test_hosts" NETGROUP
(LDAP and getent output)
-----------------------------------------------------------------------
[swick at swtest-5864p ~]$ ldapsearch -x "(cn=Test_hosts)"
# extended LDIF
#
# LDAPv3
# base <dc=ds,dc=company,dc=com> (default) with scope subtree
# filter: (cn=Test_hosts)
# requesting: ALL
#
# Test_hosts, Hosts, Netgroups, ds.company.com
dn: cn=Test_hosts,ou=Hosts,ou=Netgroups,dc=ds,dc=company,dc=com
nisNetgroupTriple: (,swtest-5864p,)
cn: Test_hosts
objectClass: top
objectClass: nisnetgroup
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[swick at swtest-5864p ~]$ getent netgroup Test_hosts
Test_hosts ( , swtest-5864p, )
-----------------------
"Test_users" NETGROUP
(LDAP and getent output)
------------------------------------------------------------------------
[swick at swtest-5864p ~]$ ldapsearch -x "(cn=Test_users)"
# extended LDIF
#
# LDAPv3
# base <dc=ds,dc=company,dc=com> (default) with scope subtree
# filter: (cn=Test_users)
# requesting: ALL
#
# Test_users, Users, Netgroups, ds.company.com
dn: cn=Test_users,ou=Users,ou=Netgroups,dc=ds,dc=company,dc=com
nisNetgroupTriple: (,swick,)
description: Test netgroup for test users
cn: Test_users
objectClass: top
objectClass: nisnetgroup
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[swick at swtest-5864p ~]$ getent netgroup Test_users
Test_users ( , swick, )
-----------------------
Current Host and User
-------------------------------------------------------------------------
[swick at swtest-5864p ~]$ hostname
swtest-5864p
[swick at swtest-5864p ~]$ whoami
swick
-----------------------
EXPECTED BEHAVIOR
Given the information above, this is how I would expect sudo to perform.
-------------------------------------------------------------------------
[swick at swtest-5864p ~]$ sudo -l
LDAP Config Summary
===================
uri ldap://ds01.ds.company.com ldap://ds02.ds.company.com
ldap_version 3
sudoers_base ou=SUDOers,dc=ds,dc=company,dc=com
binddn (anonymous)
bindpw (anonymous)
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
sudo: ldap_initialize(ld, ldap://ds01.ds.company.com ldap://ds02.ds.company.com)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: found:cn=defaults,ou=SUDOers,dc=ds,dc=company,dc=com
sudo: ldap sudoOption: 'always_set_home'
sudo: ldap sudoUser netgroup '+UnixAdmin_users' ... not
sudo: ldap sudoUser netgroup '+Test_users' ... MATCH!
sudo: ldap sudoHost '+Test_hosts' ... MATCH!
sudo: ldap sudoOption: '!authenticate'
sudo: ldap sudoOption: 'noexec'
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(52)=0x02
Matching Defaults entries for swick on this host:
always_set_home
sudo: ldap search '(|(sudoUser=swick)(sudoUser=%unixhw)(sudoUser=ALL))'
sudo: ldap search 'sudoUser=+*'
sudo: ldap sudoUser netgroup '+UnixAdmin_users' ... not
sudo: ldap sudoUser netgroup '+Test_users' ... MATCH!
sudo: ldap sudoHost '+Test_hosts' ... MATCH!
sudo: ldap sudoUser netgroup '+StorageAdmin_users' ... not
sudo: ldap sudoUser netgroup '+EITAppAdminWIC_users' ... not
sudo: ldap sudoUser netgroup '+EITServiceDesk_users' ... not
sudo: ldap sudoUser netgroup '+OMAIPConfDev_users' ... not
sudo: ldap sudoUser netgroup '+OMAWICVACD_users' ... not
sudo: ldap sudoUser netgroup '+StorageAdmin_users' ... not
sudo: ldap sudoUser netgroup '+BillingConfigMgmt_users' ... not
sudo: ldap sudoUser netgroup '+INTISDevDBASupport_users' ... not
sudo: ldap sudoUser netgroup '+INTOracleProdDBA_users' ... not
User swick may run the following commands on this host:
(root) NOPASSWD: NOEXEC: ALL, !/bin/su, !/usr/bin/chattr * /etc/passwd, !/usr/bin/chattr * /etc/security/access.conf, !/usr/bin/chattr * /etc/nsswitch.conf, !/bin/sh, !/bin/ksh, !/bin/bash
-------------------------
Change "Test_hosts" so this server is no longer a member
------------------------------------------------------------------
[swick at swtest-5864p ~]$ ldapsearch -x "(cn=Test_hosts)"
# extended LDIF
#
# LDAPv3
# base <dc=ds,dc=company,dc=com> (default) with scope subtree
# filter: (cn=Test_hosts)
# requesting: ALL
#
# Test_hosts, Hosts, Netgroups, ds.company.com
dn: cn=Test_hosts,ou=Hosts,ou=Netgroups,dc=ds,dc=company,dc=com
nisNetgroupTriple: (,non-existent-host,)
cn: Test_hosts
objectClass: top
objectClass: nisnetgroup
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[swick at swtest-5864p ~]$ getent netgroup Test_hosts
Test_hosts ( , non-existent-host, )
--------------------------
UNEXPECTEDLY sudo still thinks that sudoHost matches and allows the command to proceed.
--------------------------------------------------------------------
[swick at swtest-5864p ~]$ sudo -l
LDAP Config Summary
===================
uri ldap://ds01.ds.company.com ldap://ds02.ds.company.com
ldap_version 3
sudoers_base ou=SUDOers,dc=ds,dc=company,dc=com
binddn (anonymous)
bindpw (anonymous)
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
sudo: ldap_initialize(ld, ldap://ds01.ds.company.com ldap://ds02.ds.company.com)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: found:cn=defaults,ou=SUDOers,dc=ds,dc=company,dc=com
sudo: ldap sudoOption: 'always_set_home'
sudo: ldap sudoUser netgroup '+UnixAdmin_users' ... not
sudo: ldap sudoUser netgroup '+Test_users' ... MATCH!
sudo: ldap sudoHost '+Test_hosts' ... MATCH!
sudo: ldap sudoOption: '!authenticate'
sudo: ldap sudoOption: 'noexec'
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(52)=0x02
Matching Defaults entries for swick on this host:
always_set_home
sudo: ldap search '(|(sudoUser=swick)(sudoUser=%unixhw)(sudoUser=ALL))'
sudo: ldap search 'sudoUser=+*'
sudo: ldap sudoUser netgroup '+UnixAdmin_users' ... not
sudo: ldap sudoUser netgroup '+Test_users' ... MATCH!
sudo: ldap sudoHost '+Test_hosts' ... MATCH!
sudo: ldap sudoUser netgroup '+StorageAdmin_users' ... not
sudo: ldap sudoUser netgroup '+EITAppAdminWIC_users' ... not
sudo: ldap sudoUser netgroup '+EITServiceDesk_users' ... not
sudo: ldap sudoUser netgroup '+OMAIPConfDev_users' ... not
sudo: ldap sudoUser netgroup '+OMAWICVACD_users' ... not
sudo: ldap sudoUser netgroup '+StorageAdmin_users' ... not
sudo: ldap sudoUser netgroup '+BillingConfigMgmt_users' ... not
sudo: ldap sudoUser netgroup '+INTISDevDBASupport_users' ... not
sudo: ldap sudoUser netgroup '+INTOracleProdDBA_users' ... not
User swick may run the following commands on this host:
(root) NOPASSWD: NOEXEC: ALL, !/bin/su, !/usr/bin/chattr * /etc/passwd, !/usr/bin/chattr * /etc/security/access.conf, !/usr/bin/chattr * /etc/nsswitch.conf, !/bin/sh, !/bin/ksh, !/bin/bash
-----------------------------------------
BUT clearly SOME kind of checking is taking place because if I remove all members from Test_hosts:
----------------------------------------------------------------------------------------------
[swick at swtest-5864p ~]$ ldapsearch -x "(cn=Test_hosts)"
# extended LDIF
#
# LDAPv3
# base <dc=ds,dc=company,dc=com> (default) with scope subtree
# filter: (cn=Test_hosts)
# requesting: ALL
#
# Test_hosts, Hosts, Netgroups, ds.company.com
dn: cn=Test_hosts,ou=Hosts,ou=Netgroups,dc=ds,dc=company,dc=com
cn: Test_hosts
objectClass: top
objectClass: nisnetgroup
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[swick at swtest-5864p ~]$ getent netgroup Test_hosts
Test_hosts
------------------------------------------------
The sudoHost fails to match as expected
------------------------------------------------------------------------------------------------
[swick at swtest-5864p ~]$ sudo -l
LDAP Config Summary
===================
uri ldap://ds01.ds.west.com ldap:/ds02.ds.west.com
ldap_version 3
sudoers_base ou=SUDOers,dc=ds,dc=company,dc=com
binddn (anonymous)
bindpw (anonymous)
ssl start_tls
tls_cacertdir /etc/openldap/cacerts
===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
sudo: ldap_initialize(ld, ldap://ds01.ds.company.com ldap://ds02.ds.company.com)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: found:cn=defaults,ou=SUDOers,dc=ds,dc=company,dc=com
sudo: ldap sudoOption: 'always_set_home'
sudo: ldap sudoUser netgroup '+UnixAdmin_users' ... not
sudo: ldap sudoUser netgroup '+Test_users' ... MATCH!
sudo: ldap sudoHost '+Test_hosts' ... not
sudo: ldap sudoUser netgroup '+StorageAdmin_users' ... not
sudo: ldap sudoUser netgroup '+EITAppAdminWIC_users' ... not
sudo: ldap sudoUser netgroup '+EITServiceDesk_users' ... not
sudo: ldap sudoUser netgroup '+OMAIPConfDev_users' ... not
sudo: ldap sudoUser netgroup '+OMAWICVACD_users' ... not
sudo: ldap sudoUser netgroup '+StorageAdmin_users' ... not
sudo: ldap sudoUser netgroup '+BillingConfigMgmt_users' ... not
sudo: ldap sudoUser netgroup '+INTISDevDBASupport_users' ... not
sudo: ldap sudoUser netgroup '+INTOracleProdDBA_users' ... not
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(52)=0xc0
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for swick:
swick is not allowed to run sudo on swtest-5864p. This incident will be reported.
------------------------------------------
More information about the sudo-users
mailing list