[sudo-users] SUDO centralization based on Server!

Tue Sep 6 16:54:16 EDT 2011

I would first recommend trying sudoers_debug 2 in your /etc/ldap.conf

As I mentioned before. it will show you the exact rule and permit that is allowing that to occur.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jr Aquino, GCIH | Information Security Specialist
Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
T:  +1 805.690.3478
jr.aquino at citrixonline.com
http://www.citrixonline.com

On Sep 6, 2011, at 1:44 PM, JR Aquino wrote:

> If your user exists in 2 separate  Sudo Rules, which have different permit / deny settings, you will indeed find that sometimes you get different results.
> It is best to deliberately avoid having contradictory permit / deny lines in multiple ldap rules.
> 
> This, I believe, is the reason for the SudoOrder attribute, as ldap may return a rule before another rule.
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Jr Aquino, GCIH | Information Security Specialist
> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
> T:  +1 805.690.3478
> jr.aquino at citrixonline.com
> http://www.citrixonline.com
> 
> On Sep 6, 2011, at 1:36 PM, pradyumna dash wrote:
> 
>> Hi,
>> 
>> No in the nsswitch.conf file i have modified it to ldap, and my /etc/sudoers file is also blank.
>> 
>> The only exception i did is i created a group as sysadmin assign the sudo rules and put the user "bob" in that group.
>> I will add the debug setting tomorrow, and will see why its permitting to use the command.
>> 
>> Thanks for your help.
>> 
>> Regards,
>> Neo
>> 
>> On Tue, Sep 6, 2011 at 10:31 PM, JR Aquino <JR.Aquino at citrix.com> wrote:
>> You CAN restrict a user from executing a command with SUDO and LDAP.
>> http://www.gratisoft.us/sudo/readme_ldap.html
>> 
>> try setting:
>> /etc/ldap.conf
>> sudoers_debug 2
>> 
>> then try running your command again. It sounds like something else may be permitting the command to be run.
>> 
>> You should get a bunch of debug data that scrolls by, which should include the particular rule that matched.
>> 
>> Do you have an /etc/sudoers rule that would be overriding your !/sbin/route ?
>> 
>> Sudo is first match, so depending on what you have in /etc/nsswitch.conf it is possible that it is matching a conf file before looking to ldap.
>> 
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Jr Aquino, GCIH | Information Security Specialist
>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
>> T:  +1 805.690.3478
>> jr.aquino at citrixonline.com
>> http://www.citrixonline.com
>> 
>> On Sep 6, 2011, at 1:21 PM, pradyumna dash wrote:
>> 
>>> Hi,
>>> 
>>> If i understood correctly, i can't restrict a user from executing some
>>> command by centralizing SUDO with OpenLDAP?
>>> 
>>> Regards,
>>> Neo
>>> 
>>> 
>>> On Tue, Sep 6, 2011 at 8:41 PM, Todd C. Miller <Todd.Miller at courtesan.com>wrote:
>>> 
>>>> On Tue, 06 Sep 2011 13:33:17 CDT, Patrick Spinler wrote:
>>>> 
>>>>> Someone else will have to chime in to confirm or deny my failing memory,
>>>>> but I do know that when using LDAP in general, there are no guarantees
>>>>> as to the order that elements are returned from a search; leading from
>>>>> that, I seem to recall reading somewhere that the behavior of sudo deny
>>>>> rules when pulled from LDAP might not be the same as when reading rules
>>>>> from a file, again 'cause you can't specify or enforce a rule order.
>>>> 
>>>> That is correct; LDAP does not guarantee the order of the attributes
>>>> within a sudoRole.  Newer versions of sudo support a sudoOrder
>>>> attribute but that only helps with ordering multiple sudoRoles.
>>>> 
>>>> - todd
>>>> 
>>> ____________________________________________________________
>>> sudo-users mailing list <sudo-users at sudo.ws>
>>> For list information, options, or to unsubscribe, visit:
>>> http://www.sudo.ws/mailman/listinfo/sudo-users
>> 
>> 
> 