From lists+sudo at vanitude.com  Wed Aug  5 15:11:37 2009
From: lists+sudo at vanitude.com (Pablo Averbuj)
Date: Wed, 5 Aug 2009 15:11:37 -0400
Subject: [sudo-workers] LDAP optimizations
Message-ID: <1039aae70908051211v754024c0if42eb494329d395f@mail.gmail.com>

Hello,
I've been doing some poking and testing with the LDAP/Netgroup integration
for my project and I see the opportunity for optimization. But before I
start making dramatic/stupid changes, I want to make sure I'm thinking about
this all wrong.
Currently my read of ldap.c indicates that when it's resolving sudoRole
objects after it tries the explicit sudoUser values (username, primary unix
group, additional unix groups) it looks for sudoRoles with nisNetgroups
(sudoUser=+*).

So far so good. The next steps are where I want to make improvements. Now
that it has a bunch of sudoRole objects, it starts to resolve sudoUser
netgroups to see if the user is in the netgroup until it finds the user,
etc. I propose (and if agreed, may attempt) the following change:

Validate that the command is in sudoCommand / sudoRunas _before_ querying
the sudoUser netgroups and sudoHost netgroups

I don't see any downside and that makes me think that I'm crazy. Thoughts?
-Pablo


From jamie.beverly at yahoo.com  Wed Aug  5 23:07:44 2009
From: jamie.beverly at yahoo.com (Jamie Beverly)
Date: Wed, 5 Aug 2009 20:07:44 -0700 (PDT)
Subject: [sudo-workers] [PATCH] Move the pam_set_item calls for RUSER, USER,
	and RHOST to the pam_init function
Message-ID: <236627.80406.qm@web31802.mail.mud.yahoo.com>

This patch, or something similar, is necessary for pam auth modules to identify the calling user during authentication. 

pam_prep_user() is called after pam_verify(), which results in PAM_RUSER being undefined for auth modules.

By moving it so that the pam_set_item() calls are made as part of pam_init(), PAM_RHOST, PAM_RUSER, and PAM_USER are properly setup during authentication.



      
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sudo.patch
Type: application/octet-stream
Size: 1390 bytes
Desc: not available
URL: </pipermail/sudo-workers/attachments/20090805/af6f8637/attachment.obj>

From Todd.Miller at courtesan.com  Fri Aug  7 10:18:38 2009
From: Todd.Miller at courtesan.com (Todd C. Miller)
Date: Fri, 07 Aug 2009 10:18:38 -0400
Subject: [sudo-workers] [PATCH] Move the pam_set_item calls for RUSER,
	USER, and RHOST to the pam_init function
In-Reply-To: Your message of "Wed, 05 Aug 2009 20:07:44 PDT."
	<236627.80406.qm@web31802.mail.mud.yahoo.com> 
References: <236627.80406.qm@web31802.mail.mud.yahoo.com> 
Message-ID: <200908071418.n77EIcuO030835@core.courtesan.com>

Setting PAM_RUSER and PAM_RHOST earlier is fine but the point of
setting PAM_USER post-authentication is that it was set to the name
of the user commands are being run as, rather than the name of the
user we are authenticating as.

 - todd