[sudo-users] Time Zone Issue - "sudo sudosh" on AIX

Name Withdrawn Name Withdrawn
Wed Oct 5 15:16:46 EDT 2005

Does anyone know about following issue? Please advise. Thank you.

When a user access root level with "$ sudo sudosh" command, and checks the
date then it shows time as the server in UTC time-zone "Wed Oct  5 19:15:10
UTC 2005" instead of " Wed Oct  5 15:15:08 EDT 2005".



-----Original Message-----
From: sudo-users-bounces at courtesan.com
[mailto:sudo-users-bounces at courtesan.com] On Behalf Of
sudo-users-request at courtesan.com
Sent: Wednesday, October 05, 2005 2:00 PM
To: sudo-users at sudo.ws
Subject: sudo-users Digest, Vol 34, Issue 1

Send sudo-users mailing list submissions to
	sudo-users at sudo.ws

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
	sudo-users-request at sudo.ws

You can reach the person managing the list at
	sudo-users-owner at sudo.ws

When replying, please edit your Subject line so it is more specific
than "Re: Contents of sudo-users digest..."

Today's Topics:

   1. Less security with sudo+ldap? (Glenn Pitcher)


Message: 1
Date: Wed, 5 Oct 2005 09:46:59 -0700
From: "Glenn Pitcher" <Glenn.Pitcher at MedImpact.com>
Subject: [sudo-users] Less security with sudo+ldap?
To: "'sudo-users at sudo.ws'" <sudo-users at sudo.ws>
	<1830E3E7BB613147A6379B2F61B9EA891F9BA519 at mail.medimpact.com>
Content-Type: text/plain

I'm having some problems trying to figure out how to get the same level of
security with sudo+ldap that we currently enjoy by using a local sudoers
Take for instance the following example:
%ldapgroup ALL=(nobody) NOPASSWD:ALL
%ldapgroup ALL=(webservd) NOPASSWD:ALL
%ldapgroup ALL=(root) NOPASSWD:/usr/local/etc/script1.sh,
If I put this into LDAP, you get:
dn: cn=%ldapgroup,dc=sudoers,dc=domain,dc=com
objectClass: top
objectClass: sudoRole
cn: %ldapgroup
sudoUser: %ldapgroup
sudoRunAs: nobody
sudoRunAs: webservd
sudoRunAs: root
sudoCommand: ALL
sudoCommand: /usr/local/etc/script1.sh
sudoCommand: /usr/local/etc/script2.sh
sudoHost: ALL
sudoOption: !authenticate
Now, if a user does a 'sudo -l', they'll get back:
User <username> may run the following commands on this host:
    (nobody) NOPASSWD: ALL
    (webservd) NOPASSWD: ALL
    (root) NOPASSWD: /usr/local/etc/script1.sh
    (root) NOPASSWD: /usr/local/etc/script2.sh

LDAP Role: %ldapgroup
  RunAs: (nobody, webservd, root)
As you can see, the LDAP solution provides for less security than what was
specified in the local sudoers file.  For example, in the local sudoers
file, the user could only run 2 scripts as root.  With LDAP, they can do
anything as root.  Is there anyway of tightening this down further?
Glenn Pitcher
IT Security
MedImpact Healthcare Systems
San Diego, CA
glenn.pitcher @ medimpact.com

This transmission, together with any attachments, is intended only for the
use of those to whom it is addressed and may contain information that is
privileged, confidential, and exempt from disclosure under applicable law.
If you are not the intended recipient, you are hereby notified that any
distribution or copying of this transmission is strictly prohibited.  If you
received this transmission in error, please notify the original sender
immediately and delete this message, along with any attachments, from your


sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:

End of sudo-users Digest, Vol 34, Issue 1

More information about the sudo-users mailing list