[sudo-users] Configuring LDAP-UX Cient with sudo to use with OpenLDAP server.
Evelyn Raupach-Carlos
raupache at us.ibm.com
Fri Sep 28 09:24:05 EDT 2012
A simple question...
I downloaded the rpm sudo-1.8.5-3.ppc.rpm of sudo, and ran various sudo
command line tests and confirmed to myself it was compiled with NOEXEC
option.
But when I run 'sudo -V | grep -i noexec' or 'sudo -V', I cannot confirm
this.
Is there another simple command I can use to confirm?
Please help, .... the security folks here at IBM are killing me for proof
...................... and yes, even having the NOEXEC tag in the sudoers
file is not enough, morons.
# sudo -V
Sudo version 1.8.5p2
Configure options: --prefix=/usr/local --with-insults=disabled
--with-logging=syslog --with-logfac=auth
--with-editor=/usr/bin/vim:/usr/bin/vi:/bin/vi --with-env-editor
--enable-zlib=builtin --disable-nls
Sudoers policy plugin version 1.8.5p2
Sudoers file grammar version 41
Sudoers path: /etc/sudoers
Authentication methods: 'aixauth'
Syslog facility if syslog is being used for logging: auth
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5.0 minutes
Password prompt timeout: 5.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to log file: /var/adm/sudo.log
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/lib/sudo
Default password prompt: Password:
Default user to run commands as: root
Path to the editor for use by visudo: /usr/bin/vim:/usr/bin/vi:/bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
TERM
LINGUAS
LC_*
LANGUAGE
LANG
COLORTERM
Environment variables to remove:
RUBYOPT
RUBYLIB
PYTHONUSERBASE
PYTHONINSPECT
PYTHONPATH
PYTHONHOME
TMPPREFIX
ZDOTDIR
READNULLCMD
NULLCMD
FPATH
PERL5DB
PERL5OPT
PERL5LIB
PERLLIB
PERLIO_DEBUG
JAVA_TOOL_OPTIONS
SHELLOPTS
GLOBIGNORE
PS4
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
AUTHSTATE
LIBPATH
LDR_*
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
CDPATH
IFS
Environment variables to preserve:
XAUTHORIZATION
XAUTHORITY
TZ
PS2
PS1
PATH
LS_COLORS
KRB5CCNAME
HOSTNAME
DISPLAY
COLORS
Locale to use while parsing sudoers: C
Compress I/O logs using zlib
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty
Local IP address and netmask pairs:
172.19.70.158/255.255.254.0
172.19.72.158/255.255.255.0
172.19.53.158/255.255.255.0
Sudoers I/O plugin version 1.8.5p2
Regards,
Ev
Evelyn Raupach-Carlos
2070 Route 52
Technical Support Specialist
Hopewell Junction, 12533-6683
GTS Services Delivery
United States
East Fishkill Global Delivery Center
Phone:
+1-845-892-4008
Mobile:
+1-203-558-9983
e-mail:
raupache at us.ibm.com
EFK GDC Request Form
From: Simon K <k_simon78 at yahoo.com>
To: "Todd C. Miller" <Todd.Miller at courtesan.com>,
Cc: "sudo-users at sudo.ws" <sudo-users at sudo.ws>
Date: 09/28/2012 09:15 AM
Subject: Re: [sudo-users] Configuring LDAP-UX Cient with sudo to
use with OpenLDAP server.
Sent by: sudo-users-bounces at courtesan.com
Hi Todd,
Thanks a lot for your help.
Thanks & Regards,
Simon K
________________________________
From: Todd C. Miller <Todd.Miller at courtesan.com>
To: Simon K <k_simon78 at yahoo.com>
Cc: "sudo-users at sudo.ws" <sudo-users at sudo.ws>
Sent: Friday, 28 September 2012 2:33 PM
Subject: Re: [sudo-users] Configuring LDAP-UX Cient with sudo to use with
OpenLDAP server.
To configure sudoers over LDAP you will need to add a line to
/etc/nsswitch.conf such as:
sudoers: ldap
to tell sudo to use LDAP for sudoers data and the configure
/etc/ldap.conf as per the sudoers.ldap man page. I realize that
LDAP-UX does not use /etc/ldap.conf but sudo does use this file for
its LDAP configuration.
If you are having problems, try adding the line
sudoers_debug 2
to your /etc/ldap.conf file.
- todd
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:
http://www.sudo.ws/mailman/listinfo/sudo-users
More information about the sudo-users
mailing list