[sudo-users] Fwd: SUDO centralization based on Server!
neomatrixgem at gmail.com
Tue Sep 6 16:36:16 EDT 2011
No in the nsswitch.conf file i have modified it to ldap, and my /etc/sudoers
file is also blank.
The only exception i did is i created a group as sysadmin assign the sudo
rules and put the user "bob" in that group.
I will add the debug setting tomorrow, and will see why its permitting to
use the command.
Thanks for your help.
On Tue, Sep 6, 2011 at 10:31 PM, JR Aquino <JR.Aquino at citrix.com> wrote:
> You CAN restrict a user from executing a command with SUDO and LDAP.
> try setting:
> sudoers_debug 2
> then try running your command again. It sounds like something else may be
> permitting the command to be run.
> You should get a bunch of debug data that scrolls by, which should include
> the particular rule that matched.
> Do you have an /etc/sudoers rule that would be overriding your !/sbin/route
> Sudo is first match, so depending on what you have in /etc/nsswitch.conf it
> is possible that it is matching a conf file before looking to ldap.
> Jr Aquino, GCIH | Information Security Specialist
> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
> T: +1 805.690.3478
> jr.aquino at citrixonline.com
> On Sep 6, 2011, at 1:21 PM, pradyumna dash wrote:
> > Hi,
> > If i understood correctly, i can't restrict a user from executing some
> > command by centralizing SUDO with OpenLDAP?
> > Regards,
> > Neo
> > On Tue, Sep 6, 2011 at 8:41 PM, Todd C. Miller <
> Todd.Miller at courtesan.com>wrote:
> >> On Tue, 06 Sep 2011 13:33:17 CDT, Patrick Spinler wrote:
> >>> Someone else will have to chime in to confirm or deny my failing
> >>> but I do know that when using LDAP in general, there are no guarantees
> >>> as to the order that elements are returned from a search; leading from
> >>> that, I seem to recall reading somewhere that the behavior of sudo deny
> >>> rules when pulled from LDAP might not be the same as when reading rules
> >>> from a file, again 'cause you can't specify or enforce a rule order.
> >> That is correct; LDAP does not guarantee the order of the attributes
> >> within a sudoRole. Newer versions of sudo support a sudoOrder
> >> attribute but that only helps with ordering multiple sudoRoles.
> >> - todd
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws>
> > For list information, options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users