[sudo-users] sudo + ldap + high cpu and recursive group member searching.
Jr Aquino
JR.Aquino at citrixonline.com
Thu Jan 21 18:39:47 EST 2010
Hello again Todd,
Thank you very much for your explanation.
I looked back over my ldap db debugging and compared it to the
sudoers_debuging and correlated that sudo isn't actually doing the
huge number of iteration lookups that I am seeing.
The following search data appears to be happening as a Consequence of
running sudo and it does this for each 'uniqueMember' returned from a
search from gidMember associated with the initiating user:
scope:0 dereference:0 sizelimit:1 timelimit:5 attrsonly:0
filter: "(objectclass=*)"
attribute: "uid"
attribute: "uniqueMember"
attribute: "objectClass"
I understand that some things that sudo does when it gets used, causes
-re-initialization- of different types of environmental variables,
etc. I.E. sudo -s would cause .bash_profile to be reread, and would
probably also re-request the uid/gid information?
Todd, if you have any understanding of nss_ldap or the initgroup() or
inituser() functions... are you aware of any valid reason why a
system, after exec'ing sudo, would try to re-enumerate the user's
group, then do an iterative search for all the other members of that
group for 'uid, groupMembership, and objectclass'?
If that goes way beyond a sudo discussion, I thoroughly understand.
I thought since this activity seems to be taking place as a
consequence of running sudo, you may have seen it in the past during
development.
Thank you very very much Todd.
-Jr
On Jan 21, 2010, at 5:04 AM, Todd C. Miller wrote:
> You don't specify what version of sudo you are running but I'll
> explain what the current version of sudo (1.7.2p2) does; older
> versions are similar.
>
> Sudo performs a query for all sudoRole entries that match the user,
> one of the user's groups or ALL. It may also query sudoRoles entries
> that have a netgroup in them. It then iterates over the answers
> and matches based on hostname, runas user, and command.
>
> It is not possible to just return entries with a specific command
> since sudo has very flexible matching rules. The host may be
> specified by name, by ip address, by network/netmask, by netgroup
> or ALL. The runas user can be specified by user name, user id,
> Unix group, netmask, or ALL. Command matching is done based on the
> device and inode of the file on disk, also there may be wildcard
> matching.
>
> - todd
More information about the sudo-users
mailing list