[sudo-users] SudoUsers matching regardless of netgroup

Choure, Sidd schoure at apartments.com
Mon Dec 2 15:32:18 MST 2013


Anyone have any ideas?

Siddharth Choure
Senior Systems Engineer



From: Siddharth Choure <schoure at apartments.com<mailto:schoure at apartments.com>>
Date: Wed, 27 Nov 2013 17:22:44 -0600
To: <sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>>
Subject: SudoUsers matching regardless of netgroup

Hi,
I am integrating sudo with openldap and have all the schemas setup as such. I have a small problem. When I put a netgroup in the  sudouser field, it matches all users regardless of their netgroup membership.

Here are the configs -

[root at localhost ~]# getent netgroup Testing

Testing               (-, schoure, -)

dn: cn=Testing,ou=Netgroups,dc=example,dc=com
cn: Testing
description: System Administrators
nisnetgrouptriple: (-,schoure,-)
objectclass: nisNetgroup
objectclass: top



dn: cn=System Administrators,ou=SUDOers,dc=example,dc=com
cn: System Administrators
description: System Administrators
objectclass: sudoRole
objectclass: top
sudocommand: /bin/cat /var/log/secure
sudohost: ALL
sudooption: ALL
sudorunas: root
sudorunasgroup: ALL
sudorunasuser: ALL
sudouser: +Testing


dn: cn=Siddharth Choure,ou=People,dc=example,dc=com
cn: Siddharth Choure
gidnumber: 2000
givenname: Siddharth
homedirectory: /home/schoure
loginshell: /bin/bash
mail: schoure at apartments.com<mailto:schoure at apartments.com>
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: shadowAccount
sn: Choure
uid: schoure
uidnumber: 1000
userpassword: {MD5}string



[root at localhost ~]# sudo -U schoure -l

Matching Defaults entries for schoure on this host:

    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS

    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1

    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE

    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY

    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL

    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",

    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, requiretty, env_reset,

    env_keep+="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",

    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",

    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",

    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",

    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"


User schoure may run the following commands on this host:

    (ALL : ALL) /bin/cat /var/log/secure


It should correctly match for the above user but not for the below one -


[root at localhost ~]# sudo -U mchoure -l

Matching Defaults entries for mchoure on this host:

    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS

    DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1

    PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE

    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY

    LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL

    LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",

    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, requiretty, env_reset,

    env_keep+="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",

    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",

    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",

    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",

    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"


User mchoure may run the following commands on this host:

    (ALL : ALL) /bin/cat /var/log/secure


What am I doing wrong here?


Thanks,
Siddharth Choure
Senior Systems Engineer





More information about the sudo-users mailing list