[sudo-users] SudoUsers matching regardless of netgroup

Choure, Sidd schoure at apartments.com
Tue Dec 3 08:31:23 MST 2013


Hi,
This is the sudo -V output

sudo -V
Sudo version 1.8.6p3
Configure options: --build=x86_64-redhat-linux-gnu
--host=x86_64-redhat-linux-gnu --target=x86_64-redhat-linux-gnu
--program-prefix= --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin
--sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share
--includedir=/usr/include --libdir=/usr/lib64 --libexecdir=/usr/libexec
--localstatedir=/var --sharedstatedir=/var/lib --mandir=/usr/share/man
--infodir=/usr/share/info --prefix=/usr --sbindir=/usr/sbin
--libdir=/usr/lib64 --docdir=/usr/share/doc/sudo-1.8.6p3
--with-logging=syslog --with-logfac=authpriv --with-pam --with-pam-login
--with-editor=/bin/vi --with-env-editor --with-ignore-dot
--with-tty-tickets --with-ldap --with-ldap-conf-file=/etc/sudo-ldap.conf
--with-selinux --with-passprompt=[sudo] password for %p:
--with-linux-audit --with-sssd
Sudoers policy plugin version 1.8.6p3
Sudoers file grammar version 42

Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/sudo-ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Ignore '.' in $PATH
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Always set $HOME to the target user's home directory
Allow some information gathering to give useful error messages
Only allow the user to run sudo if they have a tty
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5.0 minutes
Password prompt timeout: 5.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/db/sudo
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Value to override user's $PATH with: /sbin:/bin:/usr/sbin:/usr/bin
Path to the editor for use by visudo: /bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
	TERM
	LINGUAS
	LC_*
	LANGUAGE
	LANG
	COLORTERM
Environment variables to remove:
	RUBYOPT
	RUBYLIB
	PYTHONUSERBASE
	PYTHONINSPECT
	PYTHONPATH
	PYTHONHOME
	TMPPREFIX
	ZDOTDIR
	READNULLCMD
	NULLCMD
	FPATH
	PERL5DB
	PERL5OPT
	PERL5LIB
	PERLLIB
	PERLIO_DEBUG 
	JAVA_TOOL_OPTIONS
	SHELLOPTS
	GLOBIGNORE
	PS4
	BASH_ENV
	ENV
	TERMCAP
	TERMPATH
	TERMINFO_DIRS
	TERMINFO
	_RLD*
	LD_*
	PATH_LOCALE
	NLSPATH
	HOSTALIASES
	RES_OPTIONS
	LOCALDOMAIN
	CDPATH
	IFS
Environment variables to preserve:
	XAUTHORITY
	_XKB_CHARSET
	LINGUAS
	LANGUAGE
	LC_ALL
	LC_TIME
	LC_TELEPHONE
	LC_PAPER
	LC_NUMERIC
	LC_NAME
	LC_MONETARY
	LC_MESSAGES
	LC_MEASUREMENT
	LC_IDENTIFICATION
	LC_COLLATE
	LC_CTYPE
	LC_ADDRESS
	LANG
	USERNAME
	QTDIR
	PS2
	PS1
	MAIL
	LS_COLORS
	KDEDIR
	INPUTRC
	HISTSIZE
	HOSTNAME
	DISPLAY
	COLORS
Locale to use while parsing sudoers: C
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty

Local IP address and netmask pairs:
	172.22.133.105/255.255.255.0
	fe80::215:5dff:fe0b:3213/ffff:ffff:ffff:ffff::



On RHEL 6.4, there is no /etc/ldap.conf. I see /etc/sudo-ldap.conf and
/etc/openldap/ldap.conf. Enabling sudoers_debug 2 in both didn¹t produce
any output on standard error. I am using the sssd setup and all the sudo
related configs are in the /etc/sssd/sssd.conf file -

[domain/default]

ldap_id_use_start_tls = True
cache_credentials = False
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap.com
ldap_tls_cacert = /etc/openldap/certs/cacert.pem
ldap_default_bind_dn = cn=Manager,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = password
ldap_netgroup_search_base = ou=Netgroups,dc=example,dc=com
ldap_sudo_search_base = ou=SUDOers,dc=example,dc=com

[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = default
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]

What do I need to configure to see why sudo is matching everything?




Siddharth Choure
Senior Systems Engineer
 





On 12/2/13, 5:18 PM, "Todd C. Miller" <Todd.Miller at courtesan.com> wrote:

>What version of sudo is this?  The first thing to try is to enable
>sudoers debugging in ldap.conf.  E.g.
>
>    sudoers_debug 2
>
>That should tell you what exactly is matching (and how).
>
> - todd




More information about the sudo-users mailing list