[sudo-users] avoid LDAP search sudoUser=+*
Michael Ströder
michael at stroeder.com
Fri Feb 7 01:06:40 MST 2014
Todd C. Miller wrote:
> On Thu, 06 Feb 2014 22:39:03 +0100, =?ISO-8859-1?Q?Michael_Str=F6der?= wrote:
>
>> Not true. Otherwise I would not have raised this issue here.
>> On some systems with older sudo versions the sudoUser=+* is even sent
>> *before* the normal user/group query.
>
> I don't recall that ever being the case (though my memory is far
> from perfect), and I see nothing in the ChangeLog related to a bug
> like that. It might be a something introduced by one of RedHat's
> patches. They tend to create large patch sets instead of just
> updating packages.
I saw such a behaviour on RHEL5 and Debian Squeeze.
>> If you perform the netgroup query you have to use
>>
>> (&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))
>>
>> to get reasonable performance (provided there's present index for
>> 'sudoUser'). Otherwise sudo-ldap is a DoS tool because the LDAP
>> server has to check each entry and LDAP admins have to protect their
>> servers by setting time limits.
>
> Now I understand. I thought you were proposing using a single query
> to fetch all sudoRole records instead. I will make that change for
> the next sudo release.
Great. Thanks.
It would also be nice if the default for the SUDOERS_SEARCH_FILTER is
(objectClass=sudoRole) just in case people forgot to set an equality index for
'sudoUser' because most times 'objectClass' is eq-indexed anyway.
Ciao, Michael.
More information about the sudo-users
mailing list