[sudo-users] sudoHost matches regardless of netgroup membership

Wick, Samson SWick at west.com
Thu Oct 18 12:16:26 EDT 2012 

I'm using the 389-ds LDAP directory server for SUDO.  I'm using NIS-style netgroups (also in LDAP) to for the sudoHost and sudoUser attributes of my SUDO roles.  My clients are all Red Hat Enterprise Linux - everything from 4.6 through 6.3.

In testing, I have noticed that SUDO does not evaluate the netgroup specified in sudoHost to verify that the present host is actually a member of the netgroup.  It seems that if the netgroup has any member of any kind, sudoHost will match.


This behavior has been observed in 1.8.6-4, 1.7.10-4, and 1.7.4p5 (and several in-between).

I have a rather large environment to manage and I'm hoping that I'm just doing something wrong.  I've provided as much detail below as I could think of, but please let me know if I'm doing something wrong.

This is how I have everything set up:

SUDO ROLE:

------------------------------------------------------------------

[swick at swtest-5864p ~]$ ldapsearch -x "(cn=Test_role)"
# extended LDIF
#
# LDAPv3
# base <dc=ds,dc=company,dc=com> (default) with scope subtree
# filter: (cn=Test_role)
# requesting: ALL
#

# Test_role, SUDOers, ds.company.com
dn: cn=Test_role,ou=SUDOers,dc=ds,dc=company,dc=com
sudoHost: +Test_hosts
description: Test role for people who can't read good and want to learn how to
  do other stuff good too
sudoOption: !authenticate
sudoOption: noexec
sudoCommand: ALL
sudoCommand: !/bin/su
sudoCommand: !/usr/bin/chattr * /etc/passwd
sudoCommand: !/usr/bin/chattr * /etc/security/access.conf
sudoCommand: !/usr/bin/chattr * /etc/nsswitch.conf
sudoCommand: !/bin/sh
sudoCommand: !/bin/ksh
sudoCommand: !/bin/bash
sudoUser: +Test_users
objectClass: top
objectClass: sudorole
cn: Test_role

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

-----------------------

"Test_hosts" NETGROUP
(LDAP and getent output)
-----------------------------------------------------------------------
[swick at swtest-5864p ~]$ ldapsearch -x "(cn=Test_hosts)"
# extended LDIF
#
# LDAPv3
# base <dc=ds,dc=company,dc=com> (default) with scope subtree
# filter: (cn=Test_hosts)
# requesting: ALL
#

# Test_hosts, Hosts, Netgroups, ds.company.com
dn: cn=Test_hosts,ou=Hosts,ou=Netgroups,dc=ds,dc=company,dc=com
nisNetgroupTriple: (,swtest-5864p,)
cn: Test_hosts
objectClass: top
objectClass: nisnetgroup

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

[swick at swtest-5864p ~]$ getent netgroup Test_hosts
Test_hosts            ( , swtest-5864p, )

-----------------------

"Test_users" NETGROUP
(LDAP and getent output)

------------------------------------------------------------------------
[swick at swtest-5864p ~]$ ldapsearch -x "(cn=Test_users)"
# extended LDIF
#
# LDAPv3
# base <dc=ds,dc=company,dc=com> (default) with scope subtree
# filter: (cn=Test_users)
# requesting: ALL
#

# Test_users, Users, Netgroups, ds.company.com
dn: cn=Test_users,ou=Users,ou=Netgroups,dc=ds,dc=company,dc=com
nisNetgroupTriple: (,swick,)
description: Test netgroup for test users
cn: Test_users
objectClass: top
objectClass: nisnetgroup

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

[swick at swtest-5864p ~]$ getent netgroup Test_users
Test_users            ( , swick, )

-----------------------

Current Host and User

-------------------------------------------------------------------------

[swick at swtest-5864p ~]$ hostname
swtest-5864p
[swick at swtest-5864p ~]$ whoami
swick

-----------------------

EXPECTED BEHAVIOR
Given the information above, this is how I would expect sudo to perform.

-------------------------------------------------------------------------
[swick at swtest-5864p ~]$ sudo -l
LDAP Config Summary
===================
uri              ldap://ds01.ds.company.com ldap://ds02.ds.company.com
ldap_version     3
sudoers_base     ou=SUDOers,dc=ds,dc=company,dc=com
binddn           (anonymous)
bindpw           (anonymous)
ssl              start_tls
tls_cacertdir    /etc/openldap/cacerts
===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
sudo: ldap_initialize(ld, ldap://ds01.ds.company.com ldap://ds02.ds.company.com)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: found:cn=defaults,ou=SUDOers,dc=ds,dc=company,dc=com
sudo: ldap sudoOption: 'always_set_home'
sudo: ldap sudoUser netgroup '+UnixAdmin_users' ... not
sudo: ldap sudoUser netgroup '+Test_users' ... MATCH!
sudo: ldap sudoHost '+Test_hosts' ... MATCH!
sudo: ldap sudoOption: '!authenticate'
sudo: ldap sudoOption: 'noexec'
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(52)=0x02
Matching Defaults entries for swick on this host:
    always_set_home

sudo: ldap search '(|(sudoUser=swick)(sudoUser=%unixhw)(sudoUser=ALL))'
sudo: ldap search 'sudoUser=+*'
sudo: ldap sudoUser netgroup '+UnixAdmin_users' ... not
sudo: ldap sudoUser netgroup '+Test_users' ... MATCH!
sudo: ldap sudoHost '+Test_hosts' ... MATCH!
sudo: ldap sudoUser netgroup '+StorageAdmin_users' ... not
sudo: ldap sudoUser netgroup '+EITAppAdminWIC_users' ... not
sudo: ldap sudoUser netgroup '+EITServiceDesk_users' ... not
sudo: ldap sudoUser netgroup '+OMAIPConfDev_users' ... not
sudo: ldap sudoUser netgroup '+OMAWICVACD_users' ... not
sudo: ldap sudoUser netgroup '+StorageAdmin_users' ... not
sudo: ldap sudoUser netgroup '+BillingConfigMgmt_users' ... not
sudo: ldap sudoUser netgroup '+INTISDevDBASupport_users' ... not
sudo: ldap sudoUser netgroup '+INTOracleProdDBA_users' ... not
User swick may run the following commands on this host:
    (root) NOPASSWD: NOEXEC: ALL, !/bin/su, !/usr/bin/chattr * /etc/passwd, !/usr/bin/chattr * /etc/security/access.conf, !/usr/bin/chattr * /etc/nsswitch.conf, !/bin/sh, !/bin/ksh, !/bin/bash

-------------------------

Change "Test_hosts" so this server is no longer a member

------------------------------------------------------------------
[swick at swtest-5864p ~]$ ldapsearch -x "(cn=Test_hosts)"
# extended LDIF
#
# LDAPv3
# base <dc=ds,dc=company,dc=com> (default) with scope subtree
# filter: (cn=Test_hosts)
# requesting: ALL
#

# Test_hosts, Hosts, Netgroups, ds.company.com
dn: cn=Test_hosts,ou=Hosts,ou=Netgroups,dc=ds,dc=company,dc=com
nisNetgroupTriple: (,non-existent-host,)
cn: Test_hosts
objectClass: top
objectClass: nisnetgroup

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

[swick at swtest-5864p ~]$ getent netgroup Test_hosts
Test_hosts            ( , non-existent-host, )

--------------------------

UNEXPECTEDLY sudo still thinks that sudoHost matches and allows the command to proceed.

--------------------------------------------------------------------
[swick at swtest-5864p ~]$ sudo -l
LDAP Config Summary
===================
uri              ldap://ds01.ds.company.com ldap://ds02.ds.company.com
ldap_version     3
sudoers_base     ou=SUDOers,dc=ds,dc=company,dc=com
binddn           (anonymous)
bindpw           (anonymous)
ssl              start_tls
tls_cacertdir    /etc/openldap/cacerts
===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
sudo: ldap_initialize(ld, ldap://ds01.ds.company.com ldap://ds02.ds.company.com)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: found:cn=defaults,ou=SUDOers,dc=ds,dc=company,dc=com
sudo: ldap sudoOption: 'always_set_home'
sudo: ldap sudoUser netgroup '+UnixAdmin_users' ... not
sudo: ldap sudoUser netgroup '+Test_users' ... MATCH!
sudo: ldap sudoHost '+Test_hosts' ... MATCH!
sudo: ldap sudoOption: '!authenticate'
sudo: ldap sudoOption: 'noexec'
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(52)=0x02
Matching Defaults entries for swick on this host:
    always_set_home

sudo: ldap search '(|(sudoUser=swick)(sudoUser=%unixhw)(sudoUser=ALL))'
sudo: ldap search 'sudoUser=+*'
sudo: ldap sudoUser netgroup '+UnixAdmin_users' ... not
sudo: ldap sudoUser netgroup '+Test_users' ... MATCH!
sudo: ldap sudoHost '+Test_hosts' ... MATCH!
sudo: ldap sudoUser netgroup '+StorageAdmin_users' ... not
sudo: ldap sudoUser netgroup '+EITAppAdminWIC_users' ... not
sudo: ldap sudoUser netgroup '+EITServiceDesk_users' ... not
sudo: ldap sudoUser netgroup '+OMAIPConfDev_users' ... not
sudo: ldap sudoUser netgroup '+OMAWICVACD_users' ... not
sudo: ldap sudoUser netgroup '+StorageAdmin_users' ... not
sudo: ldap sudoUser netgroup '+BillingConfigMgmt_users' ... not
sudo: ldap sudoUser netgroup '+INTISDevDBASupport_users' ... not
sudo: ldap sudoUser netgroup '+INTOracleProdDBA_users' ... not
User swick may run the following commands on this host:
    (root) NOPASSWD: NOEXEC: ALL, !/bin/su, !/usr/bin/chattr * /etc/passwd, !/usr/bin/chattr * /etc/security/access.conf, !/usr/bin/chattr * /etc/nsswitch.conf, !/bin/sh, !/bin/ksh, !/bin/bash

-----------------------------------------

BUT clearly SOME kind of checking is taking place because if I remove all members from Test_hosts:

----------------------------------------------------------------------------------------------
[swick at swtest-5864p ~]$ ldapsearch -x "(cn=Test_hosts)"
# extended LDIF
#
# LDAPv3
# base <dc=ds,dc=company,dc=com> (default) with scope subtree
# filter: (cn=Test_hosts)
# requesting: ALL
#

# Test_hosts, Hosts, Netgroups, ds.company.com
dn: cn=Test_hosts,ou=Hosts,ou=Netgroups,dc=ds,dc=company,dc=com
cn: Test_hosts
objectClass: top
objectClass: nisnetgroup

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[swick at swtest-5864p ~]$ getent netgroup Test_hosts
Test_hosts

------------------------------------------------

The sudoHost fails to match as expected

------------------------------------------------------------------------------------------------

[swick at swtest-5864p ~]$ sudo -l
LDAP Config Summary
===================
uri              ldap://ds01.ds.west.com ldap:/ds02.ds.west.com
ldap_version     3
sudoers_base     ou=SUDOers,dc=ds,dc=company,dc=com
binddn           (anonymous)
bindpw           (anonymous)
ssl              start_tls
tls_cacertdir    /etc/openldap/cacerts
===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
sudo: ldap_initialize(ld, ldap://ds01.ds.company.com ldap://ds02.ds.company.com)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: found:cn=defaults,ou=SUDOers,dc=ds,dc=company,dc=com
sudo: ldap sudoOption: 'always_set_home'
sudo: ldap sudoUser netgroup '+UnixAdmin_users' ... not
sudo: ldap sudoUser netgroup '+Test_users' ... MATCH!
sudo: ldap sudoHost '+Test_hosts' ... not
sudo: ldap sudoUser netgroup '+StorageAdmin_users' ... not
sudo: ldap sudoUser netgroup '+EITAppAdminWIC_users' ... not
sudo: ldap sudoUser netgroup '+EITServiceDesk_users' ... not
sudo: ldap sudoUser netgroup '+OMAIPConfDev_users' ... not
sudo: ldap sudoUser netgroup '+OMAWICVACD_users' ... not
sudo: ldap sudoUser netgroup '+StorageAdmin_users' ... not
sudo: ldap sudoUser netgroup '+BillingConfigMgmt_users' ... not
sudo: ldap sudoUser netgroup '+INTISDevDBASupport_users' ... not
sudo: ldap sudoUser netgroup '+INTOracleProdDBA_users' ... not
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(52)=0xc0

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for swick:
swick is not allowed to run sudo on swtest-5864p.  This incident will be reported.

------------------------------------------

More information about the sudo-users mailing list