[sudo-users] Debian problem or sudo config?

Jordi Espasa Clofent jespasac at minibofh.org
Thu Aug 13 04:53:43 EDT 2009 

Hi all,

I'm using LDAP+sudo as accouting server. The clients are FreeBSD (sudo 
1.6.9 from ports tree) and Debian Lenny GNU/Linux (1.7.1 compiled from 
sources... Debian packages sucks) . Normally the users belongs to one 
SUDOers group only, but in some special cases I need to create another 
group for concrete boxes (the sudoHost is the key)

For example, the user 'jordi' belongs to "hosting_prog" and 
"preproduccio" groups. preproduccio group is a sepcial group with a list 
of sudoHost which include FreeBSD and Debian boxes.

// In FreeBSD

%sudo -l
Password:
User jordi may run the following commands on this host:

LDAP Role: hosting_prog
   Commands:
     /usr/bin*
     /bin*
     !/usr/bin/su
     !/bin/csh
     !/bin/tcsh
     /usr/sbin/chown
     /usr/local/sbin/apachectl
     /usr/local/etc/rc.d/*
     !/bin/su

LDAP Role: preproduccio
   Commands:
     ALL

%sudo su

# whoami
root

As you can see, the client (FreeBSD machine, which is a hosts defined in 
proproduccio SUDOers group) knows that user 'jordi' has ALL commands 
available in this host, and all works fine.

But in another host (xen-ad003, which is also in preproduccio group):

// In Debian Lenny GNU/Linux
jordi at xen-ad0003:~$ sudo -l
Password:
Matching Defaults entries for jordi on this host:
     ignore_dot, !mail_no_user, log_host, logfile=/var/log/sudolog, 
!syslog, timestamp_timeout=10, insults

Runas and Command-specific defaults for jordi:

User jordi may run the following commands on this host:
     (root) /usr/bin*, /bin*, !/usr/bin/su, !/bin/csh, !/bin/tcsh, 
/usr/sbin/chown, /usr/local/sbin/apachectl, /usr/local/etc/rc.d/*, !/bin/su
     (root) ALL
jordi at xen-ad0003:~$ sudo su
Sorry, user jordi is not allowed to execute '/bin/su' as root on xen-ad0003.

The client (xen-ad0003) doesn't make any distinction and take always the 
first grup!

I've not idea why this happens. My first reaction has been to check the 
PAM parameters, but all seems fine. Maybe some flag compilation in 
Debian machines?

-- 
Thanks,
Jordi Espasa Clofent

More information about the sudo-users mailing list