[sudo-users] (ldap enabled) sudo ignoring Runas_Spec?

Jon Miller jonebird at gmail.com
Mon Sep 11 12:49:21 EDT 2006

   We use sudo to provide our end users the ability to become an
application owner on our production machines. That way, we can see who
is _actually_ logged in vs. seeing user 'myapp' and there is no
password sharing. Typically, we've simply used a line such as "/bin/su
- myapp" for the sudo command. I've been having a problem on RHEL 3.0
machines where there seems to be some sort of tty issue. But I've
grown tired of troubleshooting it...
  As an alternative, I decided to try granting the command "(myapp)
/bin/bash -l" instead. It appears that sudo is ignoring my Runas_Spec,
but only when the command is read from an LDAP record. To test, I've
used a tad simplier set of commands with one set in the local sudoers
file and another rule setup in LDAP. Here is what I'll see when
listing my commands:
    sudo -l
    User jmiller may run the following commands on this host:
        (operator) /bin/ls

    LDAP Role: BPN_test
        /bin/su - uprd4bpn3
        (apache) /bin/echo

As you can see, I've granted myself permission to run the 'ls' command
as the user 'operator' from the local sudoers file and the command
'echo' as the 'apache' user via an LDAP Role named BPN_Test.

Now to test running the "ls" command, granted from the local sudoers:
sudo -u operator /bin/ls /
bin  boot  dev  etc  export  home  initrd  lib  lost+found  misc  mnt
opt  proc  root  sbin  tmp  usr  var

No error. Now how about the "echo" command allocated from the LDAP role:
sudo -u apache /bin/echo hello
Sorry, user jmiller is not allowed to execute '/bin/echo hello' as
apache on uprd4app8.

Any ideas as to why the Runas_Spec works for local sudoers files vs.
the LDAP role specification?

More information about the sudo-users mailing list