[sudo-users] sudo on LDAP running commands as multiple-users
Tony G.
tonysk8 at gmx.net
Tue Oct 20 14:12:07 EDT 2009
On Tue, Oct 20, 2009 at 8:09 AM, Edward Capriolo <edlinuxguru at gmail.com>wrote:
> On Mon, Oct 19, 2009 at 9:23 PM, Tony G. <tonysk8 at gmx.net> wrote:
> > Hi, I have sudo running on openldap and found that some sudo rules more
> > elaborated are probably not working as expected, wondering if any of you
> > have been able to solve this.
> >
> > This is the rule I want to implement
> > %www ALL = (www) ALL, (root) /bin/su www
> >
> > On LDAP the entry is:
> > dn: cn=%www,ou=sudoers,dc=example,dc=com
> > cn: www
> > cn: %www
> > sudoHost: ALL
> > sudoUser: %www
> > objectClass: sudoRole
> > objectClass: top
> > sudoCommand: (root) /bin/su www
> > sudoCommand: (www) ALL
> >
> > This rule does not work, but I'm able to mimic some functionality:
> > 1st Option, The (www) ALL
> > sudoCommand: ALL
> > sudoRunAs: www
> > *But you are not able to switch to www user.
> >
> > 2nd Option, The (root) /bin/su www
> > sudoCommand: /bin/su www
> > sudoRunAs: root
> > *But you are not able to run sudo as www user.
> >
> > I see that the (runas) COMMAND format is not working as I set:
> > sudoCommand: (root) /bin/su www
> > sudoRunAs: <EMPTY>
> >
> > And I'm not able to run /bin/su www
> >
> > Thanks for your Help in Advance.
> >
> > --
> > Tony
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws>
> > For list information, options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
> >
>
> Tony,
>
> Your problem is you are not specifying the LDAP objects correctly. You
> are going to need two objects in the end.
>
> First is www a user or is www a group?
>
> if user
> sudoUser: www
>
> if group
> sudoUser: %www
>
> Secondly your sudoCommand is wrong
>
> sudoCommand: (root) /bin/su www
>
> Should be
> sudoCommand: /bin/su www
> sudoRunAs: root
>
> sudoRunAs: root is the default
>
> What you might want is this:
>
> This lets www run all commands with sudo.
>
> dn: cn=www,ou=sudoers,dc=example,dc=com
> cn: www
> sudoHost: ALL
> sudoUser: www
> objectClass: sudoRole
> objectClass: top
> sudoCommand: ALL
>
>
>
> Usually root has all sudo.
>
> dn: cn=root,ou=sudoers,dc=example,dc=com
> cn: root
> sudoHost: ALL
> sudoUser: root
> objectClass: sudoRole
> objectClass: top
> sudoCommand: ALL
>
> Good luck!
>
Thanks for the responses..
I should define the contents of the rule %www ALL = (www) ALL, (root)
/bin/su www
www is a local user in the target host
%www is an ldap group
dn: cn=www,ou=group,dc=example,dc=com
objectClass: posixGroup
gidNumber: 1001
cn: www
memberUid: foo
memberUid: bar
So this is what I did to solve this, needed to add two objects as you
suggested:
1st object, Solves the (www) ALL and is applied to the www group
dn: cn=www,ou=sudoers,dc=example, dc=com
cn: www
sudoHost: ALL
sudoUser: %www
objectClass: sudoRole
objectClass: top
sudoCommand: ALL
2nd object, Solves (root) /bin/su www
dn: cn=su_www,ou=sudoers,dc=example, dc=com
cn: su_www
sudoHost: ALL
sudoUser: %www
objectClass: sudoRole
objectClass: top
sudoCommand: /bin/su - www
Bottom line, I can see the format "(RunAs) COMMAND" does not work in the
same way as local sudoers, as seems that LDAP constructs it from two
objects: "(sudoRunAs) sudoCommand".
What a more elaborated rule in local sudoers can be done in one line it
takes two objects on sudo-LDAP.
Thanks All for your help.
--
Tony
More information about the sudo-users
mailing list