[sudo-users] sudo ldap and local sudoers messy situation
onuryalazi at mersin.edu.tr
Mon Dec 31 02:09:02 EST 2012
On 12/30/2012 09:46 PM, Todd C. Miller wrote:
> What version of sudo are you running? I'm unable to reproduce this
> on Ubuntu 12.04 with the Ubuntu sudo-ldap 1.8.3p1 package.
I normally use 1.8.3p1. But I've upgraded it to quatzal's
1.8.5p2-1ubuntu1 package to have sudo debugging.
> $ grep sudoers /etc/nsswitch.conf
> sudoers: ldap files
> I created a local test user with sudoers permission in /etc/sudoers
> # su testuser
> $ sudo -ll
> Matching Defaults entries for testuser on this host:
> Runas and Command-specific defaults for testuser:
> Defaults!/usr/bin/sudoreplay !log_output
> User testuser may run the following commands on this host:
> Sudoers entry:
> RunAsUsers: root
> $ sudo id
> uid=0(root) gid=0(root) groups=0(root)
> Can you show the output of "sudo -ll" run by sysbot? It looks like
> the stay_setuid option might be set in sudoers, though I would expect
> that to affect the ldap case too.
You are right about the stay_setuid option. Even thoug I do not have it
in sudoers file, it gets set.
sysbots sudo -ll output:
Matching Defaults entries for sysbot on this host:
tty_tickets, mail_always, preserve_groups, set_logname, stay_setuid,
User sysbot may run the following commands on this host:
After all this I figured out, the problem is sudo is using sudo default
options from sudoers ldap defaults entry and it has set_setuid option
set. I was ignoring ldap sudoers but sudo is not. After I removed this
option everything falled in place.
> - todd
Thank you and Happy new year!
More information about the sudo-users