[sudo-users] SudoUsers matching regardless of netgroup
Choure, Sidd
schoure at apartments.com
Tue Dec 3 08:31:23 MST 2013
Hi,
This is the sudo -V output
sudo -V
Sudo version 1.8.6p3
Configure options: --build=x86_64-redhat-linux-gnu
--host=x86_64-redhat-linux-gnu --target=x86_64-redhat-linux-gnu
--program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin
--sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share
--includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec
--localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man
--infodir=/usr/share/info --prefix=/usr --sbindir=/usr/sbin
--libdir=/usr/lib64 --docdir=/usr/share/doc/sudo-1.8.6p3
--with-logging=syslog --with-logfac=authpriv --with-pam --with-pam-login
--with-editor=/bin/vi --with-env-editor --with-ignore-dot
--with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/sudo-ldap.conf
--with-selinux --with-passprompt=[sudo] password for %p:
--with-linux-audit --with-sssd
Sudoers policy plugin version 1.8.6p3
Sudoers file grammar version 42
Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Ignore '.' in $PATH
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Always set $HOME to the target user's home directory
Allow some information gathering to give useful error messages
Only allow the user to run sudo if they have a tty
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5.0 minutes
Password prompt timeout: 5.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/db/sudo
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Value to override user's $PATH with: /sbin:/bin:/usr/sbin:/usr/bin
Path to the editor for use by visudo: /bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
TERM
LINGUAS
LC_*
LANGUAGE
LANG
COLORTERM
Environment variables to remove:
RUBYOPT
RUBYLIB
PYTHONUSERBASE
PYTHONINSPECT
PYTHONPATH
PYTHONHOME
TMPPREFIX
ZDOTDIR
READNULLCMD
NULLCMD
FPATH
PERL5DB
PERL5OPT
PERL5LIB
PERLLIB
PERLIO_DEBUG
JAVA_TOOL_OPTIONS
SHELLOPTS
GLOBIGNORE
PS4
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
CDPATH
IFS
Environment variables to preserve:
XAUTHORITY
_XKB_CHARSET
LINGUAS
LANGUAGE
LC_ALL
LC_TIME
LC_TELEPHONE
LC_PAPER
LC_NUMERIC
LC_NAME
LC_MONETARY
LC_MESSAGES
LC_MEASUREMENT
LC_IDENTIFICATION
LC_COLLATE
LC_CTYPE
LC_ADDRESS
LANG
USERNAME
QTDIR
PS2
PS1
MAIL
LS_COLORS
KDEDIR
INPUTRC
HISTSIZE
HOSTNAME
DISPLAY
COLORS
Locale to use while parsing sudoers: C
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty
Local IP address and netmask pairs:
172.22.133.105/255.255.255.0
fe80::215:5dff:fe0b:3213/ffff:ffff:ffff:ffff::
On RHEL 6.4, there is no /etc/ldap.conf. I see /etc/sudo-ldap.conf and
/etc/openldap/ldap.conf. Enabling sudoers_debug 2 in both didn¹t produce
any output on standard error. I am using the sssd setup and all the sudo
related configs are in the /etc/sssd/sssd.conf file -
[domain/default]
ldap_id_use_start_tls = True
cache_credentials = False
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap.com
ldap_tls_cacert = /etc/openldap/certs/cacert.pem
ldap_default_bind_dn = cn=Manager,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = password
ldap_netgroup_search_base = ou=Netgroups,dc=example,dc=com
ldap_sudo_search_base = ou=SUDOers,dc=example,dc=com
[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = default
[nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
What do I need to configure to see why sudo is matching everything?
Siddharth Choure
Senior Systems Engineer
On 12/2/13, 5:18 PM, "Todd C. Miller" <Todd.Miller at courtesan.com> wrote:
>What version of sudo is this? The first thing to try is to enable
>sudoers debugging in ldap.conf. E.g.
>
> sudoers_debug 2
>
>That should tell you what exactly is matching (and how).
>
> - todd
More information about the sudo-users
mailing list