[sudo-users] Re: [sudo-workers] Schema for SunONE Directory Server

[Aaron Spangler]

I'm glad the schema works.  It has been incorporated in the latest build.

I'll try to address your next issue.

It looks like to me that /progs/bin/id is allowed by the rules you have 
coded.
Keep in mind that sudo first checks ldap and then if it does not find an 
allowed role, it checks /etc/sudoers.  I suspect it is the %admins 
ALL=ALL in /etc/sudoers that is allowing the match.  Please see the 
marks in *bold* below.

You can also turn on LDAP tracing by placing "sudoers_debug 2" in 
/etc/ldap.conf and try rerunning the commands.  It will tell you if it 
finds a match.

Please let me know if this helps or if I can help more.

 -Aaron

janth at moldung.no wrote:

>...But there is another issue I just discovered:
>It seems that sudo_v1.6.8rc2 does not expand the command to full path before cheching against allowed command list.
>  
>

>et2441 at otsu /progs/stow 1:531$ uname -a
>SunOS otsu 5.8 Generic_117350-04 sun4u sparc SUNW,UltraAX-i2 Solaris
>et2441 at otsu /progs/stow 1:532$ sudo -V
>Sudo version 1.6.8rc2
>et2441 at otsu /progs/stow 1:533$ sudo -l
>User et2441 may run the following commands on this host:
>    *(root) ALL*
>
>LDAP Role: sysadmin
>  RunAs: (ALL)
>  Commands:
>    ALL
>    !/sbin/sh
>    !/progs/bin/id
>    NOEXEC: /usr/bin/more
>et2441 at otsu /progs/stow 1:534$ type --path id
>/progs/bin/id
>et2441 at otsu /progs/stow 1:535$ sudo id
>uid=0(root) gid=1(other) groups=1(other),0(root),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp),12(daemon),14(sysadmin)
>  
>
>sudoers file for sudo_v1.6.8rc2:
>*%admins ALL=ALL*
>
>ldif for sudo_v1.6.8rc2:
>cn=sysadmin,ou=Sudoers,dc=sandsli,dc=dnb,dc=no
>objectClass=top
>objectClass=sudorole
>sudoUser=%admins
>sudoHost=ALL
>sudoCommand=ALL
>sudoCommand=!/sbin/sh
>sudoCommand=!/progs/bin/id
>sudoCommand=NOEXEC: /usr/bin/more
>description=NOT ASCII
>sudoRunAs=ALL
>cn=sysadmin
>
>sudoers file for sudo_v1.6.7p5:
>et2441  ALL=ALL,!/progs/bin/id
>
>  
>