[sudo-users] Fwd: SUDO centralization based on Server!

Tue Sep 6 16:47:17 EDT 2011

So could you please send me an example for a user part of "groupA" and
"groupB" having different sudorules?, I tried all the possible
ways but not able to achieve, I know am asking too much, but if you can then
it would be great.

Regards,
Pradyumna

On Tue, Sep 6, 2011 at 10:44 PM, JR Aquino <JR.Aquino at citrix.com> wrote:

> If your user exists in 2 separate  Sudo Rules, which have different permit
> / deny settings, you will indeed find that sometimes you get different
> results.
> It is best to deliberately avoid having contradictory permit / deny lines
> in multiple ldap rules.
>
> This, I believe, is the reason for the SudoOrder attribute, as ldap may
> return a rule before another rule.
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Jr Aquino, GCIH | Information Security Specialist
> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
> T:  +1 805.690.3478
> jr.aquino at citrixonline.com
> http://www.citrixonline.com
>
> On Sep 6, 2011, at 1:36 PM, pradyumna dash wrote:
>
> > Hi,
> >
> > No in the nsswitch.conf file i have modified it to ldap, and my
> /etc/sudoers file is also blank.
> >
> > The only exception i did is i created a group as sysadmin assign the sudo
> rules and put the user "bob" in that group.
> > I will add the debug setting tomorrow, and will see why its permitting to
> use the command.
> >
> > Thanks for your help.
> >
> > Regards,
> > Neo
> >
> > On Tue, Sep 6, 2011 at 10:31 PM, JR Aquino <JR.Aquino at citrix.com> wrote:
> > You CAN restrict a user from executing a command with SUDO and LDAP.
> > http://www.gratisoft.us/sudo/readme_ldap.html
> >
> > try setting:
> > /etc/ldap.conf
> > sudoers_debug 2
> >
> > then try running your command again. It sounds like something else may be
> permitting the command to be run.
> >
> > You should get a bunch of debug data that scrolls by, which should
> include the particular rule that matched.
> >
> > Do you have an /etc/sudoers rule that would be overriding your
> !/sbin/route ?
> >
> > Sudo is first match, so depending on what you have in /etc/nsswitch.conf
> it is possible that it is matching a conf file before looking to ldap.
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Jr Aquino, GCIH | Information Security Specialist
> > Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
> > T:  +1 805.690.3478
> > jr.aquino at citrixonline.com
> > http://www.citrixonline.com
> >
> > On Sep 6, 2011, at 1:21 PM, pradyumna dash wrote:
> >
> > > Hi,
> > >
> > > If i understood correctly, i can't restrict a user from executing some
> > > command by centralizing SUDO with OpenLDAP?
> > >
> > > Regards,
> > > Neo
> > >
> > >
> > > On Tue, Sep 6, 2011 at 8:41 PM, Todd C. Miller <
> Todd.Miller at courtesan.com>wrote:
> > >
> > >> On Tue, 06 Sep 2011 13:33:17 CDT, Patrick Spinler wrote:
> > >>
> > >>> Someone else will have to chime in to confirm or deny my failing
> memory,
> > >>> but I do know that when using LDAP in general, there are no
> guarantees
> > >>> as to the order that elements are returned from a search; leading
> from
> > >>> that, I seem to recall reading somewhere that the behavior of sudo
> deny
> > >>> rules when pulled from LDAP might not be the same as when reading
> rules
> > >>> from a file, again 'cause you can't specify or enforce a rule order.
> > >>
> > >> That is correct; LDAP does not guarantee the order of the attributes
> > >> within a sudoRole.  Newer versions of sudo support a sudoOrder
> > >> attribute but that only helps with ordering multiple sudoRoles.
> > >>
> > >> - todd
> > >>
> > > ____________________________________________________________
> > > sudo-users mailing list <sudo-users at sudo.ws>
> > > For list information, options, or to unsubscribe, visit:
> > > http://www.sudo.ws/mailman/listinfo/sudo-users
> >
> >
>
>