[sudo-users] SUDO centralization based on Server!

pradyumna dash neomatrixgem at gmail.com
Thu Sep 8 03:25:05 EDT 2011 

Hi,

As suggested, I tried the sudoers_debug in my ldap.conf file and here is the
output.

>sudo -l
LDAP Config Summary
===================
uri          ldaps://server1.example.com
ldap_version 3
sudoers_base ou=SUDOers,dc=example,dc=com
binddn       (anonymous)
bindpw       (anonymous)
ssl          on
tls_checkpeer    (no)
===================
sudo: ldap_initialize(ld, ldaps://server1.example.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_checkpeer -> 0
sudo: ldap_set_option(LDAP_OPT_X_TLS, LDAP_OPT_X_TLS_HARD)

sudo: ldap_simple_bind_s() ok
sudo: found:cn=defaults,ou=SUDOers,dc=example,dc=com
sudo: ldap sudoOption: 'always_set_home'
sudo: ldap sudoOption: 'env_reset'
sudo: ldap sudoOption: 'env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"'
sudo: unknown defaults entry `env_keep ' referenced near line 1
sudo: ldap search '(|(sudoUser=bob)(sudoUser=%sysadm)(sudoUser=ALL))'
sudo: found:cn=%sysadm,ou=SUDOers,dc=example,dc=com
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap search 'sudoUser=+*'
sudo: user_matches=-1
sudo: host_matches=-1
sudo: sudo_ldap_check(50)=0x02
User bob may run the following commands on this host:

LDAP Role: %sysadm
  Commands:
    /sbin/shutdown
    /sbin/halt
    /sbin/reboot
    /sbin/yast2
    /sbin/date
    /sbin/kill
    /usr/bin/killall
    /usr/bin/passwd
    /bin/su
    /bin/rpm
    /sbin/ifconfig
    /sbin/ifup
    !/sbin/route

Here user "bob" is a member of "sysadm" group, when i log in to bob and
trying "sudo -l" its asking me for "bob" password when i provide the
password its showing me the above list of command which is correct.  But am
allowed to use "/sbin/route" which i should not.  Please guide me how to
resolve this issue.

Regards,
Neo.

On Tue, Sep 6, 2011 at 10:55 PM, pradyumna dash <neomatrixgem at gmail.com>wrote:

> Sure will try tomorrow and will get back.
>
> Thank you so much.
>
> Regards,
> Pradyumna
>
>
> On Tue, Sep 6, 2011 at 10:54 PM, JR Aquino <JR.Aquino at citrix.com> wrote:
>
>> I would first recommend trying sudoers_debug 2 in your /etc/ldap.conf
>>
>> As I mentioned before. it will show you the exact rule and permit that is
>> allowing that to occur.
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Jr Aquino, GCIH | Information Security Specialist
>> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
>> T:  +1 805.690.3478
>> jr.aquino at citrixonline.com
>> http://www.citrixonline.com
>>
>> On Sep 6, 2011, at 1:44 PM, JR Aquino wrote:
>>
>> > If your user exists in 2 separate  Sudo Rules, which have different
>> permit / deny settings, you will indeed find that sometimes you get
>> different results.
>> > It is best to deliberately avoid having contradictory permit / deny
>> lines in multiple ldap rules.
>> >
>> > This, I believe, is the reason for the SudoOrder attribute, as ldap may
>> return a rule before another rule.
>> >
>> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> > Jr Aquino, GCIH | Information Security Specialist
>> > Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
>> > T:  +1 805.690.3478
>> > jr.aquino at citrixonline.com
>> > http://www.citrixonline.com
>> >
>> > On Sep 6, 2011, at 1:36 PM, pradyumna dash wrote:
>> >
>> >> Hi,
>> >>
>> >> No in the nsswitch.conf file i have modified it to ldap, and my
>> /etc/sudoers file is also blank.
>> >>
>> >> The only exception i did is i created a group as sysadmin assign the
>> sudo rules and put the user "bob" in that group.
>> >> I will add the debug setting tomorrow, and will see why its permitting
>> to use the command.
>> >>
>> >> Thanks for your help.
>> >>
>> >> Regards,
>> >> Neo
>> >>
>> >> On Tue, Sep 6, 2011 at 10:31 PM, JR Aquino <JR.Aquino at citrix.com>
>> wrote:
>> >> You CAN restrict a user from executing a command with SUDO and LDAP.
>> >> http://www.gratisoft.us/sudo/readme_ldap.html
>> >>
>> >> try setting:
>> >> /etc/ldap.conf
>> >> sudoers_debug 2
>> >>
>> >> then try running your command again. It sounds like something else may
>> be permitting the command to be run.
>> >>
>> >> You should get a bunch of debug data that scrolls by, which should
>> include the particular rule that matched.
>> >>
>> >> Do you have an /etc/sudoers rule that would be overriding your
>> !/sbin/route ?
>> >>
>> >> Sudo is first match, so depending on what you have in
>> /etc/nsswitch.conf it is possible that it is matching a conf file before
>> looking to ldap.
>> >>
>> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> >> Jr Aquino, GCIH | Information Security Specialist
>> >> Citrix Online | 7408 Hollister Avenue | Goleta, CA 93117
>> >> T:  +1 805.690.3478
>> >> jr.aquino at citrixonline.com
>> >> http://www.citrixonline.com
>> >>
>> >> On Sep 6, 2011, at 1:21 PM, pradyumna dash wrote:
>> >>
>> >>> Hi,
>> >>>
>> >>> If i understood correctly, i can't restrict a user from executing some
>> >>> command by centralizing SUDO with OpenLDAP?
>> >>>
>> >>> Regards,
>> >>> Neo
>> >>>
>> >>>
>> >>> On Tue, Sep 6, 2011 at 8:41 PM, Todd C. Miller <
>> Todd.Miller at courtesan.com>wrote:
>> >>>
>> >>>> On Tue, 06 Sep 2011 13:33:17 CDT, Patrick Spinler wrote:
>> >>>>
>> >>>>> Someone else will have to chime in to confirm or deny my failing
>> memory,
>> >>>>> but I do know that when using LDAP in general, there are no
>> guarantees
>> >>>>> as to the order that elements are returned from a search; leading
>> from
>> >>>>> that, I seem to recall reading somewhere that the behavior of sudo
>> deny
>> >>>>> rules when pulled from LDAP might not be the same as when reading
>> rules
>> >>>>> from a file, again 'cause you can't specify or enforce a rule order.
>> >>>>
>> >>>> That is correct; LDAP does not guarantee the order of the attributes
>> >>>> within a sudoRole.  Newer versions of sudo support a sudoOrder
>> >>>> attribute but that only helps with ordering multiple sudoRoles.
>> >>>>
>> >>>> - todd
>> >>>>
>> >>> ____________________________________________________________
>> >>> sudo-users mailing list <sudo-users at sudo.ws>
>> >>> For list information, options, or to unsubscribe, visit:
>> >>> http://www.sudo.ws/mailman/listinfo/sudo-users
>> >>
>> >>
>> >
>>
>>
>

More information about the sudo-users mailing list