[sudo-users] ignore_local_sudoers does not work as expected
fabrice bessettes
fabrice.b7 at gmail.com
Thu Dec 5 13:05:39 MST 2013
Hi list !
I'm trying to integrate sudo into openLDAP in my organisation, which
will be really great.
The only issue i have is with the ignore_local_sudoers option.
The man page says :
ignore_local_sudoers
If set via LDAP, parsing of /etc/sudoers will be skipped. This is
intended for
Enterprises that wish to prevent the usage of local sudoers files
so that only LDAP
is used. This thwarts the efforts of rogue operators who would
attempt to add roles
to /etc/sudoers. When this option is present, /etc/sudoers does
not even need to
exist. Since this option tells sudo how to behave when no specific
LDAP entries have
been matched, this sudoOption is only meaningful for the
cn=defaults section. This
flag is off by default.
Looks great, I will need it, but I miss something, it's not working.
Here is my default sudo role :
[fbesset at server ~]$ ldapsearch -xZLLLD cn=BinddnAcct -H ldap://server
-b ou=SUDOers,dc=unixdomain,dc=xxxxx,dc=com "(cn=defaults)" "*"
dn: cn=defaults,ou=SUDOers,dc=UnixDomain,dc=xxxxx,dc=com
description: Options globales a tous les roles
objectClass: sudoRole
objectClass: top
cn: defaults
sudoOption: ignore_local_sudoers
sudoOption: env_reset
sudoOption: requiretty
When I try to use a local (in /etc/sudoers) sudo rule, it's still
working (user fbesset as no right in my ldap sudo role) :
[fbesset at server ~]$ /usr/local/bin/sudo su -
sudo: LDAP Config Summary
sudo: ===================
sudo: uri ldap://server1.priv.xxxxxx.com
ldap://server2.priv.xxxxxx.com
sudo: ldap_version 3
sudo: sudoers_base ou=SUDOers,dc=UnixDomain,dc=xxxxxx,dc=com
sudo: binddn cn=BinddnAcct
sudo: bindpw xxxxxx
sudo: bind_timelimit 1
sudo: timelimit 1
sudo: ssl start_tls
sudo: tls_checkpeer (no)
sudo: tls_cacertdir /etc/openldap/cacerts
sudo: ===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_checkpeer -> 0
sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
sudo: ldap_initialize(ld, ldap://server1.priv.xxxxx.com
ldap://server2.priv.xxxxx.com)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 1
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 1)
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: Looking for cn=defaults: cn=defaults
sudo: found:cn=defaults,ou=SUDOers,dc=UnixDomain,dc=xxxxxx,dc=com
sudo: ldap sudoOption: 'ignore_local_sudoers'
sudo: ldap sudoOption: 'env_reset'
sudo: ldap sudoOption: 'requiretty'
sudo: ldap search
'(|(sudoUser=fbesset)(sudoUser=%unixadm)(sudoUser=%#502)(sudoUser=ALL))'
sudo: searching from base 'ou=SUDOers,dc=UnixDomain,dc=xxxxx,dc=com'
sudo: adding search result
sudo: result now has 0 entries
sudo: ldap search '(sudoUser=+*)'
sudo: searching from base 'ou=SUDOers,dc=UnixDomain,dc=xxxxx,dc=com'
sudo: adding search result
sudo: result now has 0 entries
sudo: sorting remaining 0 entries
sudo: searching LDAP for sudoers entries
sudo: done with LDAP searches
sudo: user_matches=1
sudo: host_matches=0
sudo: sudo_ldap_lookup(0)=0x02
sudo: removing reusable search result
[root at server ~]# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
I'm working with RHEL 5, I first thought it was a RH package problem,
so I compiled the last stable release and got the same behavior.
Here is the details of my local sudo install, where I can see the "If
LDAP directory is up, do we ignore local sudoers file" option set.
Any idea what I'm missing ?
Thank you!
Fabrice Bessettes
Sudo version 1.8.8
Configure options: --with-ldap
sudo: LDAP Config Summary
sudo: ===================
sudo: uri ldap://server1.priv.xxxxxx.com
ldap://server2.priv.xxxxx.com
sudo: ldap_version 3
sudo: sudoers_base ou=SUDOers,dc=UnixDomain,dc=xxxxx,dc=com
sudo: binddn cn=BinddnAcct,ou=InternalAccount,dc=xxxxx,dc=com
sudo: bindpw xxxxxx
sudo: bind_timelimit 1
sudo: timelimit 1
sudo: ssl start_tls
sudo: tls_checkpeer (no)
sudo: tls_cacertdir /etc/openldap/cacerts
sudo: ===================
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: tls_checkpeer -> 0
sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
sudo: ldap_initialize(ld, ldap://server1.priv.xxxxx.com
ldap://server2.priv.xxxxx.com)
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 1
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 1)
sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: Looking for cn=defaults: cn=defaults
sudo: found:cn=defaults,ou=SUDOers,dc=UnixDomain,dc=xxxxx,dc=com
sudo: ldap sudoOption: 'ignore_local_sudoers'
sudo: ldap sudoOption: 'env_reset'
sudo: ldap sudoOption: 'requiretty'
Sudoers policy plugin version 1.8.8
Sudoers file grammar version 43
Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Insult the user when they enter an incorrect password
Only allow the user to run sudo if they have a tty
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5.0 minutes
Password prompt timeout: 5.0 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/db/sudo
Default password prompt: Password:
Default user to run commands as: root
Path to the editor for use by visudo: /bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
If LDAP directory is up, do we ignore local sudoers file
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
TERM
LINGUAS
LC_*
LANGUAGE
LANG
COLORTERM
Environment variables to remove:
RUBYOPT
RUBYLIB
PYTHONUSERBASE
PYTHONINSPECT
PYTHONPATH
PYTHONHOME
TMPPREFIX
ZDOTDIR
READNULLCMD
NULLCMD
FPATH
PERL5DB
PERL5OPT
PERL5LIB
PERLLIB
PERLIO_DEBUG
JAVA_TOOL_OPTIONS
SHELLOPTS
GLOBIGNORE
PS4
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
CDPATH
IFS
Environment variables to preserve:
XAUTHORITY
_XKB_CHARSET
LINGUAS
LANGUAGE
LC_ALL
LC_TIME
LC_TELEPHONE
LC_PAPER
LC_NUMERIC
LC_NAME
LC_MONETARY
LC_MESSAGES
LC_MEASUREMENT
LC_IDENTIFICATION
LC_COLLATE
LC_CTYPE
LC_ADDRESS
LANG
USERNAME
QTDIR
PS2
PS1
MAIL
LS_COLORS
KDEDIR
INPUTRC
HISTSIZE
HOSTNAME
DISPLAY
COLORS
Locale to use while parsing sudoers: C
Compress I/O logs using zlib
Directory in which to store input/output logs: /var/log/sudo-io
File in which to store the input/output log: %{seq}
Add an entry to the utmp/utmpx file when allocating a pty
PAM service name to use
PAM service name to use for login shells
Create a new PAM session for the command to run in
Maximum I/O log sequence number
Local IP address and netmask pairs:
10.255.32.67/255.255.254.0
10.247.90.34/255.255.252.0
fe80::250:56ff:feb1:399/ffff:ffff:ffff:ffff::
fe80::250:56ff:feb1:39a/ffff:ffff:ffff:ffff::
Sudoers I/O plugin version 1.8.8
More information about the sudo-users
mailing list