[sudo-users] sudo + ldap + high cpu and recursive group member searching.

Jr Aquino JR.Aquino at citrixonline.com
Thu Jan 21 18:39:47 EST 2010

Hello again Todd,

Thank you very much for your explanation.

I looked back over my ldap db debugging and compared it to the  
sudoers_debuging and correlated that sudo isn't actually doing the  
huge number of iteration lookups that I am seeing.

The following search data appears to be happening as a Consequence of  
running sudo and it does this for each 'uniqueMember' returned from a  
search from gidMember associated with the initiating user:
	scope:0  dereference:0  sizelimit:1  timelimit:5  attrsonly:0
	filter: "(objectclass=*)"
	attribute: "uid"
	attribute: "uniqueMember"
	attribute: "objectClass"

I understand that some things that sudo does when it gets used, causes  
-re-initialization- of different types of environmental variables,  
etc.  I.E. sudo -s would cause .bash_profile to be reread, and would  
probably also re-request the uid/gid information?

Todd, if you have any understanding of nss_ldap or the initgroup() or  
inituser() functions... are you aware of any valid reason why a  
system, after exec'ing sudo, would try to re-enumerate the user's  
group, then do an iterative search for all the other members of that  
group for 'uid, groupMembership, and objectclass'?

If that goes way beyond a sudo discussion, I thoroughly understand.

I thought since this activity seems to be taking place as a  
consequence of running sudo, you may have seen it in the past during  

Thank you very very much Todd.


On Jan 21, 2010, at 5:04 AM, Todd C. Miller wrote:

> You don't specify what version of sudo you are running but I'll
> explain what the current version of sudo (1.7.2p2) does; older
> versions are similar.
> Sudo performs a query for all sudoRole entries that match the user,
> one of the user's groups or ALL.  It may also query sudoRoles entries
> that have a netgroup in them.  It then iterates over the answers
> and matches based on hostname, runas user, and command.
> It is not possible to just return entries with a specific command
> since sudo has very flexible matching rules.  The host may be
> specified by name, by ip address, by network/netmask, by netgroup
> or ALL.  The runas user can be specified by user name, user id,
> Unix group, netmask, or ALL.  Command matching is done based on the
> device and inode of the file on disk, also there may be wildcard
> matching.
> - todd

More information about the sudo-users mailing list