[sudo-users] Debian problem or sudo config?
Jordi Espasa Clofent
jespasac at minibofh.org
Thu Aug 13 04:53:43 EDT 2009
Hi all,
I'm using LDAP+sudo as accouting server. The clients are FreeBSD (sudo
1.6.9 from ports tree) and Debian Lenny GNU/Linux (1.7.1 compiled from
sources... Debian packages sucks) . Normally the users belongs to one
SUDOers group only, but in some special cases I need to create another
group for concrete boxes (the sudoHost is the key)
For example, the user 'jordi' belongs to "hosting_prog" and
"preproduccio" groups. preproduccio group is a sepcial group with a list
of sudoHost which include FreeBSD and Debian boxes.
// In FreeBSD
%sudo -l
Password:
User jordi may run the following commands on this host:
LDAP Role: hosting_prog
Commands:
/usr/bin*
/bin*
!/usr/bin/su
!/bin/csh
!/bin/tcsh
/usr/sbin/chown
/usr/local/sbin/apachectl
/usr/local/etc/rc.d/*
!/bin/su
LDAP Role: preproduccio
Commands:
ALL
%sudo su
# whoami
root
As you can see, the client (FreeBSD machine, which is a hosts defined in
proproduccio SUDOers group) knows that user 'jordi' has ALL commands
available in this host, and all works fine.
But in another host (xen-ad003, which is also in preproduccio group):
// In Debian Lenny GNU/Linux
jordi at xen-ad0003:~$ sudo -l
Password:
Matching Defaults entries for jordi on this host:
ignore_dot, !mail_no_user, log_host, logfile=/var/log/sudolog,
!syslog, timestamp_timeout=10, insults
Runas and Command-specific defaults for jordi:
User jordi may run the following commands on this host:
(root) /usr/bin*, /bin*, !/usr/bin/su, !/bin/csh, !/bin/tcsh,
/usr/sbin/chown, /usr/local/sbin/apachectl, /usr/local/etc/rc.d/*, !/bin/su
(root) ALL
jordi at xen-ad0003:~$ sudo su
Sorry, user jordi is not allowed to execute '/bin/su' as root on xen-ad0003.
The client (xen-ad0003) doesn't make any distinction and take always the
first grup!
I've not idea why this happens. My first reaction has been to check the
PAM parameters, but all seems fine. Maybe some flag compilation in
Debian machines?
--
Thanks,
Jordi Espasa Clofent
More information about the sudo-users
mailing list