[sudo-users] Fwd: SUDO centralization based on Server!

JR Aquino JR.Aquino at citrix.com
Tue Sep 6 16:31:12 EDT 2011 

You CAN restrict a user from executing a command with SUDO and LDAP.
http://www.gratisoft.us/sudo/readme_ldap.html

try setting:
/etc/ldap.conf
sudoers_debug 2

then try running your command again. It sounds like something else may be permitting the command to be run.

You should get a bunch of debug data that scrolls by, which should include the particular rule that matched.

Do you have an /etc/sudoers rule that would be overriding your !/sbin/route ?

Sudo is first match, so depending on what you have in /etc/nsswitch.conf it is possible that it is matching a conf file before looking to ldap.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino, GCIH | Information Security Specialist
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
T:  +1 805.690.3478
jr.aquino at citrixonline.com
http://www.citrixonline.com

On Sep 6, 2011, at 1:21 PM, pradyumna dash wrote:

> Hi,
> 
> If i understood correctly, i can't restrict a user from executing some
> command by centralizing SUDO with OpenLDAP?
> 
> Regards,
> Neo
> 
> 
> On Tue, Sep 6, 2011 at 8:41 PM, Todd C. Miller <Todd.Miller at courtesan.com>wrote:
> 
>> On Tue, 06 Sep 2011 13:33:17 CDT, Patrick Spinler wrote:
>> 
>>> Someone else will have to chime in to confirm or deny my failing memory,
>>> but I do know that when using LDAP in general, there are no guarantees
>>> as to the order that elements are returned from a search; leading from
>>> that, I seem to recall reading somewhere that the behavior of sudo deny
>>> rules when pulled from LDAP might not be the same as when reading rules
>>> from a file, again 'cause you can't specify or enforce a rule order.
>> 
>> That is correct; LDAP does not guarantee the order of the attributes
>> within a sudoRole.  Newer versions of sudo support a sudoOrder
>> attribute but that only helps with ordering multiple sudoRoles.
>> 
>> - todd
>> 
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list