[sudo-users] Sudo performance with LDAP netgroups in /etc/sudoers

Thu Jan 28 17:50:01 EST 2010

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bugger.  My apologies, I forgot some more critical information.

Much of my testing was on the RHEL supplied versions of sudo, Sudo
version 1.6.9p17 on my redhat 5.3 box, and Sudo version 1.6.7p5 on my
RHEL 4.8 box.

However, I've also compiled and tried Sudo version 1.7.2p1 on RHEL 4,
and see almost identical performance characteristics as the 1.6.*
versions on the same host.

So unfortunately whatever's going on here seems to be the same in the
latest versions of sudo.

Thanks!
- -- Pat

Patrick Spinler wrote:
> 
> Hi all sudo knowledge gods. :-)  I'd like to place a sudo performance
> question before you.
> 
> We have an environment (using redhat enterprise linux 5.3 as my test
> box) where I am using netgroups in my sudoers, like so:
> 
>   +netgroup   ALL=(ALL) NOPASSWD: ALL
> 
> and direct my netgroup database to use LDAP via /etc/nsswitch.conf, like so:
> 
>   netgroup:   files ldap
> 
> Unfortunately, in my test box, I'm seeing abysmal performance invoking
> sudo, on the order of 4 seconds to run a "sudo -l"
> 
> I've established a very strong correlation between the number of
> netgroups listed in /etc/sudoers and the invocation time.  On my test
> machine, with 15 netgroups listed, I had the 4 second invocation time
> I just mentioned.  When I reduced the number of netgroups to 7 by
> combining lines using line continuation characters, my "sudo -l" time
> dropped to an average 2.2 seconds over 10 tests.
> 
> Sure enough, when I examined my ldap server logs, I see an ldap search
> for each listing of a netgroup in /etc/sudoers directly resulting from
> any invocation of sudo.  This includes several searches for the same
> netgroup per invocation if the netgroup is listed multiple times.  E.g.
> this:
> 
>   +netgroup ALL=(root)   /bin/su - tomcat
>   +netgroup ALL=(tomcat) ALL
> 
> would produce two searches for with the ldap filter
> "(&(objectClass=nisNetgroup)(cn=netgroup))" on my servers.
> 
> However, while there is a strong correlation between the number of ldap
> searches and the experienced delay, that's not the whole story.  My ldap
> servers are, in fact, quite fast.  I can run the following search (yes,
> the duplication is intentional, intended to mirror the duplicate
> netgroups in sudoers like above):
> 
> time for i in netgr1 netgr2 netgr2 netgr3 netgr3 netgr4 netgr4; do
>   ldapsearch -x "(&(objectClass=nisNetgroup)(cn=$i))"
> done > /dev/null
> 
> in, on average, 0.14 seconds.
> 
> So, for 7 netgroups, it's a fair assumption that my 2.2 second "sudo -l"
> spends < .2 seconds searching ldap for netgroups, and about 2 seconds
> doing "something else".
> 
> Frustratingly, I haven't been able to profile this.  The command:
> 
>   time strace sudo -l
> 
> ends up complaining that:
> 
> write(2, "sudo: ", 6sudo: )                   = 6
> write(2, "must be setuid root", 19must be setuid root)     = 19
> write(2, "\n", 1
> 
> and so gives no useful information. :-(
> 
> Can anyone offer advice in tracing down the source of my delay?
> 
> Thanks!
> -- Pat
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktiFJkACgkQNObCqA8uBsxFqACcCyHUcpClZ5QS/8sxaQHMHsiS
jNcAn1KRf9+qW5VIwXnNzNChYoHqq+nK
=kOh4
-----END PGP SIGNATURE-----