[sudo-users] Configuring LDAP-UX Cient with sudo to use with OpenLDAP server.

Evelyn Raupach-Carlos raupache at us.ibm.com
Fri Sep 28 09:24:05 EDT 2012


A simple question...

I downloaded the rpm sudo-1.8.5-3.ppc.rpm of sudo, and ran various sudo 
command line tests and confirmed to myself it was compiled with NOEXEC 
option.
But when I run 'sudo -V | grep -i noexec' or 'sudo -V', I cannot confirm 
this.
Is there another simple command I can use to confirm?
Please help, .... the security folks here at IBM are killing me for proof 
...................... and yes, even having the NOEXEC tag in the sudoers 
file is not enough, morons.

# sudo -V
Sudo version 1.8.5p2
Configure options: --prefix=/usr/local --with-insults=disabled 
--with-logging=syslog --with-logfac=auth 
--with-editor=/usr/bin/vim:/usr/bin/vi:/bin/vi --with-env-editor 
--enable-zlib=builtin --disable-nls
Sudoers policy plugin version 1.8.5p2
Sudoers file grammar version 41

Sudoers path: /etc/sudoers
Authentication methods: 'aixauth'
Syslog facility if syslog is being used for logging: auth
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5.0 minutes
Password prompt timeout: 5.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to log file: /var/adm/sudo.log
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/lib/sudo
Default password prompt: Password:
Default user to run commands as: root
Path to the editor for use by visudo: /usr/bin/vim:/usr/bin/vi:/bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
        TERM
        LINGUAS
        LC_*
        LANGUAGE
        LANG
        COLORTERM
Environment variables to remove:
        RUBYOPT
        RUBYLIB
        PYTHONUSERBASE
        PYTHONINSPECT
        PYTHONPATH
        PYTHONHOME
        TMPPREFIX
        ZDOTDIR
        READNULLCMD
        NULLCMD
        FPATH
        PERL5DB
        PERL5OPT
        PERL5LIB
        PERLLIB
        PERLIO_DEBUG
        JAVA_TOOL_OPTIONS
        SHELLOPTS
        GLOBIGNORE
        PS4
        BASH_ENV
        ENV
        TERMCAP
        TERMPATH
        TERMINFO_DIRS
        TERMINFO
        AUTHSTATE
        LIBPATH
        LDR_*
        _RLD*
        LD_*
        PATH_LOCALE
        NLSPATH
        HOSTALIASES
        RES_OPTIONS
        LOCALDOMAIN
        CDPATH
        IFS
Environment variables to preserve:
        XAUTHORIZATION
        XAUTHORITY
        TZ
        PS2
        PS1
        PATH
        LS_COLORS
        KRB5CCNAME
        HOSTNAME
        DISPLAY
        COLORS
Locale to use while parsing sudoers: C
Compress I/O logs using zlib
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty

Local IP address and netmask pairs:
        172.19.70.158/255.255.254.0
        172.19.72.158/255.255.255.0
        172.19.53.158/255.255.255.0

Sudoers I/O plugin version 1.8.5p2

Regards,
Ev



Evelyn Raupach-Carlos
 2070 Route 52

Technical Support Specialist
 Hopewell Junction, 12533-6683
GTS Services Delivery
 United States
East Fishkill Global Delivery Center
 

Phone:
+1-845-892-4008
 

Mobile:
+1-203-558-9983
 

e-mail:
raupache at us.ibm.com
 

EFK GDC Request Form
 


 
 




From:   Simon K <k_simon78 at yahoo.com>
To:     "Todd C. Miller" <Todd.Miller at courtesan.com>, 
Cc:     "sudo-users at sudo.ws" <sudo-users at sudo.ws>
Date:   09/28/2012 09:15 AM
Subject:        Re: [sudo-users] Configuring LDAP-UX Cient with sudo to 
use with        OpenLDAP server.
Sent by:        sudo-users-bounces at courtesan.com



Hi Todd,

Thanks a lot for your help.

Thanks & Regards,
Simon K




________________________________
 From: Todd C. Miller <Todd.Miller at courtesan.com>
To: Simon K <k_simon78 at yahoo.com> 
Cc: "sudo-users at sudo.ws" <sudo-users at sudo.ws> 
Sent: Friday, 28 September 2012 2:33 PM
Subject: Re: [sudo-users] Configuring LDAP-UX Cient with sudo to use with 
OpenLDAP server.
 
To configure sudoers over LDAP you will need to add a line to
/etc/nsswitch.conf such as:

sudoers: ldap

to tell sudo to use LDAP for sudoers data and the configure
/etc/ldap.conf as per the sudoers.ldap man page.  I realize that
LDAP-UX does not use /etc/ldap.conf but sudo does use this file for
its LDAP configuration.

If you are having problems, try adding the line

sudoers_debug 2

to your /etc/ldap.conf file.

- todd
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users




More information about the sudo-users mailing list