[sudo-users] Sudo performance with LDAP netgroups in /etc/sudoers

Patrick Spinler spinler.patrick at mayo.edu
Thu Jan 28 17:38:12 EST 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi all sudo knowledge gods. :-)  I'd like to place a sudo performance
question before you.

We have an environment (using redhat enterprise linux 5.3 as my test
box) where I am using netgroups in my sudoers, like so:

  +netgroup   ALL=(ALL) NOPASSWD: ALL

and direct my netgroup database to use LDAP via /etc/nsswitch.conf, like so:

  netgroup:   files ldap

Unfortunately, in my test box, I'm seeing abysmal performance invoking
sudo, on the order of 4 seconds to run a "sudo -l"

I've established a very strong correlation between the number of
netgroups listed in /etc/sudoers and the invocation time.  On my test
machine, with 15 netgroups listed, I had the 4 second invocation time
I just mentioned.  When I reduced the number of netgroups to 7 by
combining lines using line continuation characters, my "sudo -l" time
dropped to an average 2.2 seconds over 10 tests.

Sure enough, when I examined my ldap server logs, I see an ldap search
for each listing of a netgroup in /etc/sudoers directly resulting from
any invocation of sudo.  This includes several searches for the same
netgroup per invocation if the netgroup is listed multiple times.  E.g.
this:

  +netgroup ALL=(root)   /bin/su - tomcat
  +netgroup ALL=(tomcat) ALL

would produce two searches for with the ldap filter
"(&(objectClass=nisNetgroup)(cn=netgroup))" on my servers.

However, while there is a strong correlation between the number of ldap
searches and the experienced delay, that's not the whole story.  My ldap
servers are, in fact, quite fast.  I can run the following search (yes,
the duplication is intentional, intended to mirror the duplicate
netgroups in sudoers like above):

time for i in netgr1 netgr2 netgr2 netgr3 netgr3 netgr4 netgr4; do
  ldapsearch -x "(&(objectClass=nisNetgroup)(cn=$i))"
done > /dev/null

in, on average, 0.14 seconds.

So, for 7 netgroups, it's a fair assumption that my 2.2 second "sudo -l"
spends < .2 seconds searching ldap for netgroups, and about 2 seconds
doing "something else".

Frustratingly, I haven't been able to profile this.  The command:

  time strace sudo -l

ends up complaining that:

write(2, "sudo: ", 6sudo: )                   = 6
write(2, "must be setuid root", 19must be setuid root)     = 19
write(2, "\n", 1

and so gives no useful information. :-(

Can anyone offer advice in tracing down the source of my delay?

Thanks!
- -- Pat

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktiEdQACgkQNObCqA8uBsyWqgCfRzbL0vpo4HKsaOXteqlGPZLW
ZEwAnRT2KJEvy64W9maBbYXxdQOXwWWd
=P265
-----END PGP SIGNATURE-----

More information about the sudo-users mailing list