[sudo-users] Sudo performance with LDAP netgroups in /etc/sudoers
spinler.patrick at mayo.edu
Thu Jan 28 17:38:12 EST 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hi all sudo knowledge gods. :-) I'd like to place a sudo performance
question before you.
We have an environment (using redhat enterprise linux 5.3 as my test
box) where I am using netgroups in my sudoers, like so:
+netgroup ALL=(ALL) NOPASSWD: ALL
and direct my netgroup database to use LDAP via /etc/nsswitch.conf, like so:
netgroup: files ldap
Unfortunately, in my test box, I'm seeing abysmal performance invoking
sudo, on the order of 4 seconds to run a "sudo -l"
I've established a very strong correlation between the number of
netgroups listed in /etc/sudoers and the invocation time. On my test
machine, with 15 netgroups listed, I had the 4 second invocation time
I just mentioned. When I reduced the number of netgroups to 7 by
combining lines using line continuation characters, my "sudo -l" time
dropped to an average 2.2 seconds over 10 tests.
Sure enough, when I examined my ldap server logs, I see an ldap search
for each listing of a netgroup in /etc/sudoers directly resulting from
any invocation of sudo. This includes several searches for the same
netgroup per invocation if the netgroup is listed multiple times. E.g.
+netgroup ALL=(root) /bin/su - tomcat
+netgroup ALL=(tomcat) ALL
would produce two searches for with the ldap filter
"(&(objectClass=nisNetgroup)(cn=netgroup))" on my servers.
However, while there is a strong correlation between the number of ldap
searches and the experienced delay, that's not the whole story. My ldap
servers are, in fact, quite fast. I can run the following search (yes,
the duplication is intentional, intended to mirror the duplicate
netgroups in sudoers like above):
time for i in netgr1 netgr2 netgr2 netgr3 netgr3 netgr4 netgr4; do
ldapsearch -x "(&(objectClass=nisNetgroup)(cn=$i))"
done > /dev/null
in, on average, 0.14 seconds.
So, for 7 netgroups, it's a fair assumption that my 2.2 second "sudo -l"
spends < .2 seconds searching ldap for netgroups, and about 2 seconds
doing "something else".
Frustratingly, I haven't been able to profile this. The command:
time strace sudo -l
ends up complaining that:
write(2, "sudo: ", 6sudo: ) = 6
write(2, "must be setuid root", 19must be setuid root) = 19
write(2, "\n", 1
and so gives no useful information. :-(
Can anyone offer advice in tracing down the source of my delay?
- -- Pat
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the sudo-users