[sudo-users] SUDO centralization based on Server!
pradyumna dash
neomatrixgem at gmail.com
Tue Sep 6 16:55:21 EDT 2011
Sure will try tomorrow and will get back.
Thank you so much.
Regards,
Pradyumna
On Tue, Sep 6, 2011 at 10:54 PM, JR Aquino <JR.Aquino at citrix.com> wrote:
> I would first recommend trying sudoers_debug 2 in your /etc/ldap.conf
>
> As I mentioned before. it will show you the exact rule and permit that is
> allowing that to occur.
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Jr Aquino, GCIH | Information Security Specialist
> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
> T: +1 805.690.3478
> jr.aquino at citrixonline.com
> http://www.citrixonline.com
>
> On Sep 6, 2011, at 1:44 PM, JR Aquino wrote:
>
> > If your user exists in 2 separate Sudo Rules, which have different
> permit / deny settings, you will indeed find that sometimes you get
> different results.
> > It is best to deliberately avoid having contradictory permit / deny lines
> in multiple ldap rules.
> >
> > This, I believe, is the reason for the SudoOrder attribute, as ldap may
> return a rule before another rule.
> >
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > Jr Aquino, GCIH | Information Security Specialist
> > Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
> > T: +1 805.690.3478
> > jr.aquino at citrixonline.com
> > http://www.citrixonline.com
> >
> > On Sep 6, 2011, at 1:36 PM, pradyumna dash wrote:
> >
> >> Hi,
> >>
> >> No in the nsswitch.conf file i have modified it to ldap, and my
> /etc/sudoers file is also blank.
> >>
> >> The only exception i did is i created a group as sysadmin assign the
> sudo rules and put the user "bob" in that group.
> >> I will add the debug setting tomorrow, and will see why its permitting
> to use the command.
> >>
> >> Thanks for your help.
> >>
> >> Regards,
> >> Neo
> >>
> >> On Tue, Sep 6, 2011 at 10:31 PM, JR Aquino <JR.Aquino at citrix.com>
> wrote:
> >> You CAN restrict a user from executing a command with SUDO and LDAP.
> >> http://www.gratisoft.us/sudo/readme_ldap.html
> >>
> >> try setting:
> >> /etc/ldap.conf
> >> sudoers_debug 2
> >>
> >> then try running your command again. It sounds like something else may
> be permitting the command to be run.
> >>
> >> You should get a bunch of debug data that scrolls by, which should
> include the particular rule that matched.
> >>
> >> Do you have an /etc/sudoers rule that would be overriding your
> !/sbin/route ?
> >>
> >> Sudo is first match, so depending on what you have in /etc/nsswitch.conf
> it is possible that it is matching a conf file before looking to ldap.
> >>
> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> >> Jr Aquino, GCIH | Information Security Specialist
> >> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
> >> T: +1 805.690.3478
> >> jr.aquino at citrixonline.com
> >> http://www.citrixonline.com
> >>
> >> On Sep 6, 2011, at 1:21 PM, pradyumna dash wrote:
> >>
> >>> Hi,
> >>>
> >>> If i understood correctly, i can't restrict a user from executing some
> >>> command by centralizing SUDO with OpenLDAP?
> >>>
> >>> Regards,
> >>> Neo
> >>>
> >>>
> >>> On Tue, Sep 6, 2011 at 8:41 PM, Todd C. Miller <
> Todd.Miller at courtesan.com>wrote:
> >>>
> >>>> On Tue, 06 Sep 2011 13:33:17 CDT, Patrick Spinler wrote:
> >>>>
> >>>>> Someone else will have to chime in to confirm or deny my failing
> memory,
> >>>>> but I do know that when using LDAP in general, there are no
> guarantees
> >>>>> as to the order that elements are returned from a search; leading
> from
> >>>>> that, I seem to recall reading somewhere that the behavior of sudo
> deny
> >>>>> rules when pulled from LDAP might not be the same as when reading
> rules
> >>>>> from a file, again 'cause you can't specify or enforce a rule order.
> >>>>
> >>>> That is correct; LDAP does not guarantee the order of the attributes
> >>>> within a sudoRole. Newer versions of sudo support a sudoOrder
> >>>> attribute but that only helps with ordering multiple sudoRoles.
> >>>>
> >>>> - todd
> >>>>
> >>> ____________________________________________________________
> >>> sudo-users mailing list <sudo-users at sudo.ws>
> >>> For list information, options, or to unsubscribe, visit:
> >>> http://www.sudo.ws/mailman/listinfo/sudo-users
> >>
> >>
> >
>
>
More information about the sudo-users
mailing list