[sudo-users] sudo ldap and local sudoers messy situation
Todd C. Miller
Todd.Miller at courtesan.com
Sun Dec 30 14:46:06 EST 2012
On Fri, 28 Dec 2012 10:31:17 +0200, =?UTF-8?B?T251ciBZYWxhesSx?= wrote:
> I'm trying to integrate sudo and ldap and everything with ldap works
> like a charm on ubuntu 12.04.
>
> But there is a problem while using local system user and sudoers file as
> an fallback. If ldap integration is on and sudo ing with a system user
> and sudoers file, sudo won't change uid and gid to 0, but change euid
> and to 0. Disabling sudoers ldap integration makes the problem disappear.
What version of sudo are you running? I'm unable to reproduce this
on Ubuntu 12.04 with the Ubuntu sudo-ldap 1.8.3p1 package.
$ grep sudoers /etc/nsswitch.conf
sudoers: ldap files
I created a local test user with sudoers permission in /etc/sudoers
# su testuser
$ sudo -ll
Matching Defaults entries for testuser on this host:
env_reset,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
log_output,
Runas and Command-specific defaults for testuser:
Defaults!/usr/bin/sudoreplay !log_output
User testuser may run the following commands on this host:
Sudoers entry:
RunAsUsers: root
Commands:
ALL
$ sudo id
uid=0(root) gid=0(root) groups=0(root)
Can you show the output of "sudo -ll" run by sysbot? It looks like
the stay_setuid option might be set in sudoers, though I would expect
that to affect the ldap case too.
- todd
More information about the sudo-users
mailing list