[sudo-users] Less security with sudo+ldap?

Galen Johnson Galen.Johnson at sas.com
Fri Oct 7 14:29:50 EDT 2005


Man, this came across as pompous...not my intention at all. 

-----Original Message-----
From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Galen Johnson
Sent: Friday, October 07, 2005 1:09 PM
To: sudo-users at sudo.ws
Subject: RE: [sudo-users] Less security with sudo+ldap?

This is actually not a bad idea.  One of the reasons I stopped pursuing the use of ldap sudo rules is because they didn't behave the same as the sudoers file.  I think we need to figure out how to make it work exactly like the sudoers file does.  I really like the fact that if ldap is unavailable it will default to the local copy of sudoers.  This eliminates a point of failure and allows you to have a basic sudoers locally for emergency purposes while maintaining the global version.  I need to go back and review the shortcomings I found with it initially before I fully address where I think it should go from here and how to do so.  One of the biggest ones that comes readily to mind is the need to convert sudoers to a functional ldif properly.  There is already a framework that just appears to need a little polish.

=G= 

-----Original Message-----
From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Glenn Pitcher
Sent: Friday, October 07, 2005 12:26 PM
To: 'sudo-users at sudo.ws'
Subject: Re: [sudo-users] Less security with sudo+ldap?

Currently the ldap code does not share any code from the /etc/sudoers
parsing code. Maybe we should change that?

We could change the syntax structure, maybe we could allow an alternate
runas syntax on the sudoCommand option? It would make the code more
complicated, if there is a need for it then maybe we should take a look at
it. Maybe something like this:

sudoCommand: (root) /usr/local/etc/script1.sh

If that is the case we should also allow for a few permutations such as

sudoOption: authenticate
sudoCommand: !/bin/sh
sudoCommand: ALL
sudoCommand: NOPASSWD: /bin/mount
sudoCommand: (mysql) /usr/sbin/mysqld
sudoCommand: (mysql) NOPASSWD: /usr/bin/mysqldump

I believe there are other permutations, but might get confusing so I would
want to explore them all first. For example, what should this mean? Does it
mean if the user asks for any other user than web, the command is allowed,
or does it mean that the user can run any application as web except df?
sudoCommand: (web) NOEXEC: !/usr/bin/df

In any case, I want everyone to think it through so that we are all making
the best decision.

So, everyone let us hear your viewpoints. Lets get some ideas.

- Aaron


On 10/5/05, Glenn Pitcher <Glenn.Pitcher at medimpact.com> wrote:
>
> Sure, I could split it into multiple roles but it would become 
> unmanageable. My site has well over 100 servers with hundreds of users 
> and as it is I have 60 some odd unix groups I'm maintaining - all of 
> which are used in sudo. So if I have to start breaking things down 
> further and add people to more groups... well, that just isn't an 
> option.
>
>  -----Original Message-----
> *From:* Aaron Spangler [mailto:aaron777 at gmail.com]
> *Sent:* Wednesday, October 05, 2005 11:44 AM
> *To:* Glenn Pitcher
> *Subject:* Re: [sudo-users] Less security with sudo+ldap?
>
> Split it into two roles. It will work.
>
> On 10/5/05, Glenn Pitcher <Glenn.Pitcher at medimpact.com> wrote:
> >
> > I'm having some problems trying to figure out how to get the same 
> > level of security with sudo+ldap that we currently enjoy by using a 
> > local sudoers
> >
> > file.
> >
> > Take for instance the following example:
> >
> > %ldapgroup ALL=(nobody) NOPASSWD:ALL
> > %ldapgroup ALL=(webservd) NOPASSWD:ALL
> > %ldapgroup ALL=(root) NOPASSWD:/usr/local/etc/script1.sh,
> > /usr/local/etc/script2.sh
> >
> > If I put this into LDAP, you get:
> >
> > dn: cn=%ldapgroup,dc=sudoers,dc=domain,dc=com
> > objectClass: top
> > objectClass: sudoRole
> > cn: %ldapgroup
> > sudoUser: %ldapgroup
> > sudoRunAs: nobody
> > sudoRunAs: webservd
> > sudoRunAs: root
> > sudoCommand: ALL
> > sudoCommand: /usr/local/etc/script1.sh
> > sudoCommand: /usr/local/etc/script2.sh
> > sudoHost: ALL
> > sudoOption: !authenticate
> >
> > Now, if a user does a 'sudo -l', they'll get back:
> >
> > --------------
> > User <username> may run the following commands on this host:
> > (nobody) NOPASSWD: ALL
> > (webservd) NOPASSWD: ALL
> > (root) NOPASSWD: /usr/local/etc/script1.sh
> > (root) NOPASSWD: /usr/local/etc/script2.sh
> >
> > LDAP Role: %ldapgroup
> > RunAs: (nobody, webservd, root)
> > Commands:
> > ALL
> > /usr/local/etc/script1.sh
> > /usr/local/etc/script2.sh
> > ---------------
> >
> > As you can see, the LDAP solution provides for less security than 
> > what was specified in the local sudoers file. For example, in the 
> > local sudoers file, the user could only run 2 scripts as root. With 
> > LDAP, they can do anything as root. Is there anyway of tightening 
> > this down further?
> >
> >
> >
> > Glenn Pitcher
> > IT Security
> > MedImpact Healthcare Systems
> > San Diego, CA
> > 858-790-7479
> > glenn.pitcher @ medimpact.com <http://medimpact.com>
> >
> >
> > --------------------------------------------------------------------
> > ----------
> >
> > This transmission, together with any attachments, is intended only 
> > for the use of those to whom it is addressed and may contain 
> > information that is privileged, confidential, and exempt from 
> > disclosure under applicable law. If you are not the intended 
> > recipient, you are hereby notified that any distribution or copying 
> > of this transmission is strictly prohibited. If you received this 
> > transmission in error, please notify the original sender immediately 
> > and delete this message, along with any attachments, from your 
> > computer.
> >
> > ====================================================================
> > ==========
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws >
> > For list information, options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
> >
>
>
> ----------------------------------------------------------------------
> --------
> This transmission, together with any attachments, is intended only for the
> use of those to whom it is addressed and may contain information that is
> privileged, confidential, and exempt from disclosure under applicable law.
> If you are not the intended recipient, you are hereby notified that any
> distribution or copying of this transmission is strictly prohibited. If
you
> received this transmission in error, please notify the original sender
> immediately and delete this message, along with any attachments, from your
> computer.
>
> ======================================================================
> ========
>
____________________________________________________________ 
sudo-workers mailing list <sudo-workers at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-workers

------------------------------------------------------------------------------
This transmission, together with any attachments, is intended only for the use of those to whom it is addressed and may contain information that is privileged, confidential, and exempt from disclosure under applicable law.  If you are not the intended recipient, you are hereby notified that any distribution or copying of this transmission is strictly prohibited.  If you received this transmission in error, please notify the original sender immediately and delete this message, along with any attachments, from your computer.
==============================================================================
____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users

____________________________________________________________ 
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users




More information about the sudo-users mailing list