[sudo-users] sudo 1.9.5p2 ignores NOPASSWD rules
Ralph Meier
ralph.meier at merckgroup.com
Fri Jan 29 01:31:28 MST 2021
Thanks Todd !
After resolving some syncing issues of our LDAP servers I found there is a second rule:
LDAP Role: os_viocheck_xxxde
RunAsUsers: root
Options: !authenticate
Commands:
ALL
LDAP Role: os_all_allch
RunAsUsers: ALL
Commands:
ALL
Does this second rule without "!authenticate" overwrite the previous one because
they are just evaluated in the order the ldap server delivers them ? Is there a way to
priorize a rule ?
Best Regards
Ralph
-----Ursprüngliche Nachricht-----
Von: Todd C. Miller <Todd.Miller at sudo.ws>
Gesendet: Donnerstag, 28. Januar 2021 19:59
An: Ralph Meier <ralph.meier at merckgroup.com>
Cc: sudo-users at sudo.ws
Betreff: Re: AW: [sudo-users] sudo 1.9.5p2 ignores NOPASSWD rules
[WARNING – EXTERNAL EMAIL] Do not open links or attachments unless you recognize the sender of this email. If you are unsure please click the button "Report suspicious email"
I haven't been able to reproduce this problem. This is what I see using a test user:
$ sudo -k id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)
$ sudo -l
Matching Defaults entries for testdude on xerxes:
ignore_local_sudoers, listpw=never, syslog=auth, !env_reset, passprompt="%u
password :", badpass_message="Wrong password :"
User testdude may run the following commands on xerxes:
(root) NOPASSWD: ALL
$ sudo -ll
Matching Defaults entries for testdude on xerxes:
ignore_local_sudoers, listpw=never, syslog=auth, !env_reset, passprompt="%u
password :", badpass_message="Wrong password :"
User testdude may run the following commands on xerxes:
LDAP Role: testdude
RunAsUsers: root
Options: !authenticate
Commands:
ALL
My LDIF looks like this:
# testdude, sudoers, sudo.ws
dn: cn=testdude,ou=sudoers,dc=sudo,dc=ws
objectClass: top
objectClass: sudoRole
cn: testdude
sudoUser: testdude
sudoRunAs: root
sudoHost: ALL
sudoCommand: ALL
sudoOption: !authenticate
# defaults, sudoers, sudo.ws
dn: cn=defaults,ou=sudoers,dc=sudo,dc=ws
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: ignore_local_sudoers
sudoOption: listpw=never
sudoOption: syslog=auth
sudoOption: !env_reset
sudoOption: passprompt="%u password :"
sudoOption: badpass_message="Wrong password :"
This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you must not copy this message or attachment or disclose the contents to any other person. If you have received this transmission in error, please notify the sender immediately and delete the message and any attachment from your system. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not accept liability for any omissions or errors in this message which may arise as a result of E-Mail-transmission or for damages resulting from any unauthorized changes of the content of this message and any attachment thereto. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not guarantee that this message is free of viruses and does not accept liability for any damages caused by any virus transmitted therewith.
Click http://www.merckgroup.com/disclaimer to access the German, French, Spanish and Portuguese versions of this disclaimer.
More information about the sudo-users
mailing list