[sudo-users] sudo ldap and local sudoers messy situation

Todd C. Miller Todd.Miller at courtesan.com
Sun Dec 30 14:46:06 EST 2012


On Fri, 28 Dec 2012 10:31:17 +0200, =?UTF-8?B?T251ciBZYWxhesSx?= wrote:

> I'm trying to integrate sudo and ldap and everything with ldap works 
> like a charm on ubuntu 12.04.
> 
> But there is a problem while using local system user and sudoers file as 
> an fallback. If ldap integration is on and sudo ing with a system user 
> and sudoers file, sudo won't change uid and gid to 0, but change euid 
> and to 0. Disabling sudoers ldap integration makes the problem disappear.

What version of sudo are you running?  I'm unable to reproduce this
on Ubuntu 12.04 with the Ubuntu sudo-ldap 1.8.3p1 package.

$ grep sudoers /etc/nsswitch.conf 
sudoers:	ldap files

I created a local test user with sudoers permission in /etc/sudoers

# su testuser
$ sudo -ll
Matching Defaults entries for testuser on this host:
    env_reset,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    log_output,

Runas and Command-specific defaults for testuser:
    Defaults!/usr/bin/sudoreplay !log_output

User testuser may run the following commands on this host:

Sudoers entry:
    RunAsUsers: root
    Commands:
	ALL

$ sudo id
uid=0(root) gid=0(root) groups=0(root)

Can you show the output of "sudo -ll" run by sysbot?  It looks like
the stay_setuid option might be set in sudoers, though I would expect
that to affect the ldap case too.

 - todd


More information about the sudo-users mailing list