[sudo-users] SudoRunAs doesn't appear to handle groups or netgroups?

Steve Kirkpatrick skirkpatrick at ghx.com
Tue Nov 9 13:22:48 EST 2004

> Hello,
> According to the sudoers man page, I should be able to use group (i.e. %groupname) and netgroup (i.e. +netgroupname) entries in the Runas_List.  In fact, when I have sudoers stored in a text file, this syntax works fine.
> In my case, I have sudoers stored in LDAP so I think that means I should be able to use %groupname and +netgroupname entries in the sudoRunAs attribute.  This does not appear to work.  It looks like a simple comparison is being done so that only listing actual usernames in sudoRunAs would work.
> Here is an example:
> Note: passwd, group and sudoers is stored in LDAP.
> Here is the sudoers entry I am trying to match:
> dn: cn=qa_role1,ou=SUDOers,dc=test,dc=com
> objectClass: top
> objectClass: sudoRole
> cn: qa_role1
> sudoHost: ALL
> sudoCommand: ALL
> sudoRunAs: %apps
> sudoRunAs: %mqm
> sudoUser: %qa
> Here are the user's group memberships:
> srvjump% id -a
> uid=8378(tuser) gid=10(staff) groups=10(staff),7000(qa)
> srvjump% id -a apache
> uid=5000(apache) gid=5000(apps) groups=5000(apps)
> Now I try a command that SHOULD work:
> srvjump% /usr/local/bin/sudo -u apache ls /tmp
> LDAP Config Summary
> ===================
> uri          ldap://ldap.test.com/
> ldap_version 3
> sudoers_base ou=SUDOers,dc=test,dc=com
> binddn       (anonymous)
> bindpw       (anonymous)
> ssl          (no)
> ===================
> ldap_initialize(ld,ldap://ldap.test.com/)
> ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,0x03)
> ldap_bind() ok
> found:cn=defaults,ou=SUDOers,dc=test,dc=com
> ldap sudoOption: 'env_reset'
> ldap search '(|(sudoUser=tuser)(sudoUser=%staff)(sudoUser=%staff)(sudoUser=%qa)(sudoUser=ALL))'
> found:cn=qa_role1,ou=SUDOers,dc=test,dc=com
> ldap sudoHost 'ALL' ... MATCH!
> ldap sudoCommand 'ALL' ... MATCH!
> ldap sudoRunAs '%apps' ... not
> ldap sudoRunAs '%mqm' ... not
> ldap search 'sudoUser=+*'
> user_matches=-1
> host_matches=-1
> sudo_ldap_check(0)=0x04
> Password:
> tuser is not in the sudoers file.  This incident will be reported.
> apache is a member of the apps group so this should work right?  It does work when I have sudoers in a text file.  Is this just a limitation of the LDAP extensions to sudo?  Should I only put actual usernames in sudoRunAs?
> Thanks for any help/insight.
> Steve.
Software info:
Solaris 8

More information about the sudo-users mailing list