[sudo-users] sudo-users question: bug 678
Todd C. Miller
Todd.Miller at courtesan.com
Mon Feb 2 11:23:54 MST 2015
On Tue, 27 Jan 2015 16:39:08 -0700, Andy West wrote:
> Does bug 678 have any impact on LDAP-based sudo policies? I am using
> sudo attributes set as "sudoOption: fqdn", and "sudoHost:
> [name.example.com]" and have not seen any issues similar to what was
> described in the bug, but I still wanted to confirm. I implemented
> "sudoOption: fqdn" strictly to disallow use of short host names to make
> the solution a bit more secure.
The fqdn option does not disallow the use of short host names. It
just resolves the system's hostname (usually via /etc/hosts or DNS)
in order to get the fully-qualified name if the system hostname is
not already fully-qualified.
Bug #678 only affects sudo 1.8.8 through 1.8.11p2.
Furthermore, it would only cause problems in the global defaults
entry. For example:
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: fqdn
Setting fqdn in the individual sudoRole object has no effect because
matching is performed before the sudoOptions for that sudoRole are
applied.
- todd
More information about the sudo-users
mailing list