[sudo-users] Re: [sudo-workers] Schema for SunONE Directory Server
Aaron Spangler
as at insight.rr.com
Mon Aug 9 23:09:46 EDT 2004
I'm glad the schema works. It has been incorporated in the latest build.
I'll try to address your next issue.
It looks like to me that /progs/bin/id is allowed by the rules you have
coded.
Keep in mind that sudo first checks ldap and then if it does not find an
allowed role, it checks /etc/sudoers. I suspect it is the %admins
ALL=ALL in /etc/sudoers that is allowing the match. Please see the
marks in *bold* below.
You can also turn on LDAP tracing by placing "sudoers_debug 2" in
/etc/ldap.conf and try rerunning the commands. It will tell you if it
finds a match.
Please let me know if this helps or if I can help more.
-Aaron
janth at moldung.no wrote:
>...But there is another issue I just discovered:
>It seems that sudo_v1.6.8rc2 does not expand the command to full path before cheching against allowed command list.
>
>
>et2441 at otsu /progs/stow 1:531$ uname -a
>SunOS otsu 5.8 Generic_117350-04 sun4u sparc SUNW,UltraAX-i2 Solaris
>et2441 at otsu /progs/stow 1:532$ sudo -V
>Sudo version 1.6.8rc2
>et2441 at otsu /progs/stow 1:533$ sudo -l
>User et2441 may run the following commands on this host:
> *(root) ALL*
>
>LDAP Role: sysadmin
> RunAs: (ALL)
> Commands:
> ALL
> !/sbin/sh
> !/progs/bin/id
> NOEXEC: /usr/bin/more
>et2441 at otsu /progs/stow 1:534$ type --path id
>/progs/bin/id
>et2441 at otsu /progs/stow 1:535$ sudo id
>uid=0(root) gid=1(other) groups=1(other),0(root),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp),12(daemon),14(sysadmin)
>
>
>sudoers file for sudo_v1.6.8rc2:
>*%admins ALL=ALL*
>
>ldif for sudo_v1.6.8rc2:
>cn=sysadmin,ou=Sudoers,dc=sandsli,dc=dnb,dc=no
>objectClass=top
>objectClass=sudorole
>sudoUser=%admins
>sudoHost=ALL
>sudoCommand=ALL
>sudoCommand=!/sbin/sh
>sudoCommand=!/progs/bin/id
>sudoCommand=NOEXEC: /usr/bin/more
>description=NOT ASCII
>sudoRunAs=ALL
>cn=sysadmin
>
>sudoers file for sudo_v1.6.7p5:
>et2441 ALL=ALL,!/progs/bin/id
>
>
>
More information about the sudo-users
mailing list