[sudo-users] Re: sudo ldap
Aaron Spangler
as at insight.rr.com
Sun Jul 4 20:11:56 EDT 2004
Chris, Galen, Howard and others,
Please discard the last patch. It had an off-by-one bug and the debugging
lines did not show the correct information. Included is a new patch. This
patch has also been committed to CVS for those who use cvs.
Those of you who don't receive this new attachment, let me and I will directly
send it to you.
- Aaron
On Wednesday 30 June 2004 11:09 pm, Aaron Spangler wrote:
> Chris, Galen, Howard and others,
>
> Attached is a Sudo patch to try. Please let me know if it works for you.
> If it does what you want, I will go ahead and commit it into CVS.
>
> This patch is the "Allow all commands except ..." code for LDAP on sudo.
> The functionality is mostly similar to /etc/sudoers but with one small
> difference.
>
> Discussion Below....
>
> For example in /etc/sudoers
> "root (ALL)=ALL, !/bin/sh" means anything except /bin/sh
> but
> "root (ALL)=!/bin/sh,ALL" means match any command because ALL is last
>
> According to the LDAP RFC, attributes are not guaranteed to be returned in
> any specific order. Therefor the sudo-ldap code has made allowances for
> "All but /bin/sh" to be specified as:
>
> ...
> sudoCommand: ALL
> sudoCommand: !/bin/sh
>
> and equivilently:
>
> ...
> sudoCommand: !/bin/sh
> sudoCommand: ALL
>
> Originally the code only looked for ALLOW matches and ignorred DENY
> matches. (meaning that !/bin/sh prevented nothing)
>
> The new LDAP code will allow DENY (!) matches to take precedence of ALLOW
> matches regardless of order.
>
> Clear as Mud? Let me know if this doesn't make sense.
>
> Please test it and let me know your results and I will put it into CVS.
>
> -Aaron
>
> On Wednesday 30 June 2004 06:33 am, Chris wrote:
> > Hi Aaron,
> >
> > Me again. Sorry for not responding to your previous email, however
> > there wasn't really a problem as such .... however, I found a bit of a
> > problem which I thought you might be able to comment on.
> >
> > It seems from my usage thus far, that sudo-ldap doesn't take into
> > account 'negated' commands when determining if a user can perform the
> > requested command.
> >
> >
> > e.g. if a user has a role which allows them full access to ANY /bin/
> > command....
> > /bin/*
> >
> > but the role doesn't want them to be able to run /bin/shutdown (for
> > example)
> > !/bin/shutdown
> >
> > the sudoldap binary determines that the user _can_ perform /bin/shutdown
> > because it finds the /bin/* match above and does not take into account
> > the negated /bin/shutdown.
> >
> >
> > Im pretty sure that the normal sudo binary allows the example above...
> > any ideas Aaron?
> >
> > any help/thoughts would be appreciated.
> >
> > again, love your work :)
> >
> >
> > Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch2
Type: text/x-diff
Size: 2647 bytes
Desc: not available
URL: </pipermail/sudo-users/attachments/20040704/cde28438/attachment.bin>
More information about the sudo-users
mailing list