[sudo-users] debug sudo

Todd C. Miller Todd.Miller at courtesan.com
Fri Aug 31 09:44:33 EDT 2012

On Thu, 30 Aug 2012 15:14:23 -0000, "DUEBI Bernhard" wrote:

> I have a strange problem and I don't know how to analyze it.
> I have a number of Solaris 10 X64 machines, which are LDAP/Kerberos integrate
> d. The sudoers is stored in LDAP too.
> I created a sudo role to allow a number of (LDAP) users to execute a script u
> nder the (local) application user without a password. It works perfect for al
> l but one user. This user has the following privileges:
> User calb may run the following commands on this host:
>     (root, orc, informix, e2e, euwax) ALL
>   (orc) NOPASSWD: /opt/orc/bin/orc_console
> When he executes orc_console, sudo immediately asks for a password. I already
>  tried to call sudo -D9 but this doesn't really help.

The problem is that LDAP does not guarantee any order for the query
results.  Since you have two overlapping rules, you may end up with
the rule that requires a password overriding the rule that requires
no password.

If you temporarily add a line like:

sudoers_debug 2

to /etc/ldap.conf you should be able to see what is getting matched.

If the two rules contained in different sudoRoles you can work
around this in one of two ways:

1) Exclude /opt/orc/bin/orc_console from the less specific rule
   to prevent it from matching.

2) If your are running sudo 1.8.2 or higher (or 1.7.5-1.7.9) you
   can add explicit ordering using the sudoOrder attribute.  That
   requires that your LDAP schema also support sudoOrder.

 - todd

More information about the sudo-users mailing list