[sudo-users] Re: sudo ldap

Aaron Spangler as at insight.rr.com
Wed Jun 30 23:09:45 EDT 2004


Chris, Galen, Howard and others,

Attached is a Sudo patch to try.  Please let me know if it works for you.  If 
it does what you want, I will go ahead and commit it into CVS.

This patch is the "Allow all commands except ..." code for LDAP on sudo.
The functionality is mostly similar to /etc/sudoers but with one small 
difference.

Discussion Below....

For example in /etc/sudoers
"root (ALL)=ALL, !/bin/sh" means anything except /bin/sh
but
"root (ALL)=!/bin/sh,ALL" means match any command because ALL is last

According to the LDAP RFC, attributes are not guaranteed to be returned in any 
specific order.  Therefor the sudo-ldap code has made allowances for "All 
but /bin/sh" to be specified as:

	...
	sudoCommand: ALL
	sudoCommand: !/bin/sh

and equivilently:

	...
	sudoCommand: !/bin/sh
	sudoCommand: ALL

Originally the code only looked for ALLOW matches and ignorred DENY matches.  
(meaning that !/bin/sh prevented nothing)

The new LDAP code will allow DENY (!) matches to take precedence of ALLOW 
matches regardless of order.

Clear as Mud?  Let me know if this doesn't make sense.

Please test it and let me know your results and I will put it into CVS.
 
 -Aaron

On Wednesday 30 June 2004 06:33 am, Chris wrote:
> Hi Aaron,
>
> 	Me again. Sorry for not responding to your previous email, however
> there wasn't really a problem as such .... however, I found a bit of a
> problem which I thought you might be able to comment on.
>
> It seems from my usage thus far, that sudo-ldap doesn't take into
> account 'negated' commands when determining if a user can perform the
> requested command.
>
>
> e.g. if a user has a role which allows them full access to ANY /bin/
> command....
> /bin/*
>
> but the role doesn't want them to be able to run /bin/shutdown (for
> example)
> !/bin/shutdown
>
> the sudoldap binary determines that the user _can_ perform /bin/shutdown
> because it finds the /bin/* match above and does not take into account
> the negated /bin/shutdown.
>
>
> Im pretty sure that the normal sudo binary allows the example above...
> any ideas Aaron?
>
> any help/thoughts would be appreciated.
>
> again, love your work :)
>
>
> Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sudo_ldap_exclude_command.patch
Type: text/x-diff
Size: 2276 bytes
Desc: not available
URL: </pipermail/sudo-users/attachments/20040630/670510cf/attachment.bin>


More information about the sudo-users mailing list