[sudo-users] Re: sudo ldap
Aaron Spangler
as at insight.rr.com
Wed Jun 30 23:09:45 EDT 2004
Chris, Galen, Howard and others,
Attached is a Sudo patch to try. Please let me know if it works for you. If
it does what you want, I will go ahead and commit it into CVS.
This patch is the "Allow all commands except ..." code for LDAP on sudo.
The functionality is mostly similar to /etc/sudoers but with one small
difference.
Discussion Below....
For example in /etc/sudoers
"root (ALL)=ALL, !/bin/sh" means anything except /bin/sh
but
"root (ALL)=!/bin/sh,ALL" means match any command because ALL is last
According to the LDAP RFC, attributes are not guaranteed to be returned in any
specific order. Therefor the sudo-ldap code has made allowances for "All
but /bin/sh" to be specified as:
...
sudoCommand: ALL
sudoCommand: !/bin/sh
and equivilently:
...
sudoCommand: !/bin/sh
sudoCommand: ALL
Originally the code only looked for ALLOW matches and ignorred DENY matches.
(meaning that !/bin/sh prevented nothing)
The new LDAP code will allow DENY (!) matches to take precedence of ALLOW
matches regardless of order.
Clear as Mud? Let me know if this doesn't make sense.
Please test it and let me know your results and I will put it into CVS.
-Aaron
On Wednesday 30 June 2004 06:33 am, Chris wrote:
> Hi Aaron,
>
> Me again. Sorry for not responding to your previous email, however
> there wasn't really a problem as such .... however, I found a bit of a
> problem which I thought you might be able to comment on.
>
> It seems from my usage thus far, that sudo-ldap doesn't take into
> account 'negated' commands when determining if a user can perform the
> requested command.
>
>
> e.g. if a user has a role which allows them full access to ANY /bin/
> command....
> /bin/*
>
> but the role doesn't want them to be able to run /bin/shutdown (for
> example)
> !/bin/shutdown
>
> the sudoldap binary determines that the user _can_ perform /bin/shutdown
> because it finds the /bin/* match above and does not take into account
> the negated /bin/shutdown.
>
>
> Im pretty sure that the normal sudo binary allows the example above...
> any ideas Aaron?
>
> any help/thoughts would be appreciated.
>
> again, love your work :)
>
>
> Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sudo_ldap_exclude_command.patch
Type: text/x-diff
Size: 2276 bytes
Desc: not available
URL: </pipermail/sudo-users/attachments/20040630/670510cf/attachment.bin>
More information about the sudo-users
mailing list