[sudo-users] ignore_local_sudoers does not work as expected

fabrice bessettes fabrice.b7 at gmail.com
Thu Dec 5 14:15:31 MST 2013


Well, I think I find the problem :

I had this in /etc/nsswitch.conf :
# grep sudo /etc/nsswitch.conf
sudoers:  files ldap

If I change it for :
sudoers:  ldap files

Everything works as expected ...

Looks like the nsswitch sudoers order is a condition for "the
ignore_local_sudoers" option, am I right ?

thank you !







On Thu, Dec 5, 2013 at 3:05 PM, fabrice bessettes <fabrice.b7 at gmail.com> wrote:
> Hi list !
>
> I'm trying to integrate sudo into openLDAP in my organisation, which
> will be really great.
>
> The only issue i have is with the ignore_local_sudoers option.
>
> The man page says :
> ignore_local_sudoers
>     If set via LDAP, parsing of /etc/sudoers will be skipped.  This is
> intended for
>     Enterprises that wish to prevent the usage of local sudoers files
> so that only LDAP
>     is used.  This thwarts the efforts of rogue operators who would
> attempt to add roles
>     to /etc/sudoers.  When this option is present, /etc/sudoers does
> not even need to
>     exist. Since this option tells sudo how to behave when no specific
> LDAP entries have
>     been matched, this sudoOption is only meaningful for the
> cn=defaults section.  This
>     flag is off by default.
>
> Looks great, I will need it, but I miss something, it's not working.
>
> Here is my default sudo role :
>
> [fbesset at server ~]$ ldapsearch -xZLLLD cn=BinddnAcct -H ldap://server
> -b ou=SUDOers,dc=unixdomain,dc=xxxxx,dc=com "(cn=defaults)" "*"
> dn: cn=defaults,ou=SUDOers,dc=UnixDomain,dc=xxxxx,dc=com
> description: Options globales a tous les roles
> objectClass: sudoRole
> objectClass: top
> cn: defaults
> sudoOption: ignore_local_sudoers
> sudoOption: env_reset
> sudoOption: requiretty
>
> When I try to use a local (in /etc/sudoers) sudo rule, it's still
> working (user fbesset as no right in my ldap sudo role) :
>
> [fbesset at server ~]$ /usr/local/bin/sudo su -
> sudo: LDAP Config Summary
> sudo: ===================
> sudo: uri              ldap://server1.priv.xxxxxx.com
> ldap://server2.priv.xxxxxx.com
> sudo: ldap_version     3
> sudo: sudoers_base     ou=SUDOers,dc=UnixDomain,dc=xxxxxx,dc=com
> sudo: binddn           cn=BinddnAcct
> sudo: bindpw           xxxxxx
> sudo: bind_timelimit   1
> sudo: timelimit        1
> sudo: ssl              start_tls
> sudo: tls_checkpeer    (no)
> sudo: tls_cacertdir    /etc/openldap/cacerts
> sudo: ===================
> sudo: ldap_set_option: debug -> 0
> sudo: ldap_set_option: tls_checkpeer -> 0
> sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
> sudo: ldap_initialize(ld, ldap://server1.priv.xxxxx.com
> ldap://server2.priv.xxxxx.com)
> sudo: ldap_set_option: ldap_version -> 3
> sudo: ldap_set_option: timelimit -> 1
> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 1)
> sudo: ldap_start_tls_s() ok
> sudo: ldap_sasl_bind_s() ok
> sudo: Looking for cn=defaults: cn=defaults
> sudo: found:cn=defaults,ou=SUDOers,dc=UnixDomain,dc=xxxxxx,dc=com
> sudo: ldap sudoOption: 'ignore_local_sudoers'
> sudo: ldap sudoOption: 'env_reset'
> sudo: ldap sudoOption: 'requiretty'
> sudo: ldap search
> '(|(sudoUser=fbesset)(sudoUser=%unixadm)(sudoUser=%#502)(sudoUser=ALL))'
> sudo: searching from base 'ou=SUDOers,dc=UnixDomain,dc=xxxxx,dc=com'
> sudo: adding search result
> sudo: result now has 0 entries
> sudo: ldap search '(sudoUser=+*)'
> sudo: searching from base 'ou=SUDOers,dc=UnixDomain,dc=xxxxx,dc=com'
> sudo: adding search result
> sudo: result now has 0 entries
> sudo: sorting remaining 0 entries
> sudo: searching LDAP for sudoers entries
> sudo: done with LDAP searches
> sudo: user_matches=1
> sudo: host_matches=0
> sudo: sudo_ldap_lookup(0)=0x02
> sudo: removing reusable search result
> [root at server ~]# id
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
>
>
> I'm working with RHEL 5, I first thought it was a RH package problem,
> so I compiled the last stable release and got the same behavior.
> Here is the details of my local sudo install, where I can see the "If
> LDAP directory is up, do we ignore local sudoers file" option set.
> Any idea what I'm missing ?
>
> Thank you!
>
> Fabrice Bessettes
>
> Sudo version 1.8.8
> Configure options: --with-ldap
> sudo: LDAP Config Summary
> sudo: ===================
> sudo: uri              ldap://server1.priv.xxxxxx.com
> ldap://server2.priv.xxxxx.com
> sudo: ldap_version     3
> sudo: sudoers_base     ou=SUDOers,dc=UnixDomain,dc=xxxxx,dc=com
> sudo: binddn           cn=BinddnAcct,ou=InternalAccount,dc=xxxxx,dc=com
> sudo: bindpw           xxxxxx
> sudo: bind_timelimit   1
> sudo: timelimit        1
> sudo: ssl              start_tls
> sudo: tls_checkpeer    (no)
> sudo: tls_cacertdir    /etc/openldap/cacerts
> sudo: ===================
> sudo: ldap_set_option: debug -> 0
> sudo: ldap_set_option: tls_checkpeer -> 0
> sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
> sudo: ldap_initialize(ld, ldap://server1.priv.xxxxx.com
> ldap://server2.priv.xxxxx.com)
> sudo: ldap_set_option: ldap_version -> 3
> sudo: ldap_set_option: timelimit -> 1
> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 1)
> sudo: ldap_start_tls_s() ok
> sudo: ldap_sasl_bind_s() ok
> sudo: Looking for cn=defaults: cn=defaults
> sudo: found:cn=defaults,ou=SUDOers,dc=UnixDomain,dc=xxxxx,dc=com
> sudo: ldap sudoOption: 'ignore_local_sudoers'
> sudo: ldap sudoOption: 'env_reset'
> sudo: ldap sudoOption: 'requiretty'
> Sudoers policy plugin version 1.8.8
> Sudoers file grammar version 43
>
> Sudoers path: /etc/sudoers
> nsswitch path: /etc/nsswitch.conf
> ldap.conf path: /etc/ldap.conf
> ldap.secret path: /etc/ldap.secret
> Authentication methods: 'pam'
> Syslog facility if syslog is being used for logging: authpriv
> Syslog priority to use when user authenticates successfully: notice
> Syslog priority to use when user authenticates unsuccessfully: alert
> Send mail if the user is not in sudoers
> Use a separate timestamp for each user/tty combo
> Lecture user the first time they run sudo
> Require users to authenticate by default
> Root may run sudo
> Allow some information gathering to give useful error messages
> Insult the user when they enter an incorrect password
> Only allow the user to run sudo if they have a tty
> Set the LOGNAME and USER environment variables
> Length at which to wrap log file lines (0 for no wrap): 80
> Authentication timestamp timeout: 5.0 minutes
> Password prompt timeout: 5.0 minutes
> Number of tries to enter a password: 3
> Umask to use or 0777 to use user's: 022
> Path to mail program: /usr/sbin/sendmail
> Flags for mail program: -t
> Address to send mail to: root
> Subject line for mail messages: *** SECURITY information for %h ***
> Incorrect password message: Sorry, try again.
> Path to authentication timestamp dir: /var/db/sudo
> Default password prompt: Password:
> Default user to run commands as: root
> Path to the editor for use by visudo: /bin/vi
> When to require a password for 'list' pseudocommand: any
> When to require a password for 'verify' pseudocommand: all
> If LDAP directory is up, do we ignore local sudoers file
> File descriptors >= 3 will be closed before executing a command
> Reset the environment to a default set of variables
> Environment variables to check for sanity:
>         TERM
>         LINGUAS
>         LC_*
>         LANGUAGE
>         LANG
>         COLORTERM
> Environment variables to remove:
>         RUBYOPT
>         RUBYLIB
>         PYTHONUSERBASE
>         PYTHONINSPECT
>         PYTHONPATH
>         PYTHONHOME
>         TMPPREFIX
>         ZDOTDIR
>         READNULLCMD
>         NULLCMD
>         FPATH
>         PERL5DB
>         PERL5OPT
>         PERL5LIB
>         PERLLIB
>         PERLIO_DEBUG
>         JAVA_TOOL_OPTIONS
>         SHELLOPTS
>         GLOBIGNORE
>         PS4
>         BASH_ENV
>         ENV
>         TERMCAP
>         TERMPATH
>         TERMINFO_DIRS
>         TERMINFO
>         _RLD*
>         LD_*
>         PATH_LOCALE
>         NLSPATH
>         HOSTALIASES
>         RES_OPTIONS
>         LOCALDOMAIN
>         CDPATH
>         IFS
> Environment variables to preserve:
>         XAUTHORITY
>         _XKB_CHARSET
>         LINGUAS
>         LANGUAGE
>         LC_ALL
>         LC_TIME
>         LC_TELEPHONE
>         LC_PAPER
>         LC_NUMERIC
>         LC_NAME
>         LC_MONETARY
>         LC_MESSAGES
>         LC_MEASUREMENT
>         LC_IDENTIFICATION
>         LC_COLLATE
>         LC_CTYPE
>         LC_ADDRESS
>         LANG
>         USERNAME
>         QTDIR
>         PS2
>         PS1
>         MAIL
>         LS_COLORS
>         KDEDIR
>         INPUTRC
>         HISTSIZE
>         HOSTNAME
>         DISPLAY
>         COLORS
> Locale to use while parsing sudoers: C
> Compress I/O logs using zlib
> Directory in which to store input/output logs: /var/log/sudo-io
> File in which to store the input/output log: %{seq}
> Add an entry to the utmp/utmpx file when allocating a pty
> PAM service name to use
> PAM service name to use for login shells
> Create a new PAM session for the command to run in
> Maximum I/O log sequence number
>
> Local IP address and netmask pairs:
>         10.255.32.67/255.255.254.0
>         10.247.90.34/255.255.252.0
>         fe80::250:56ff:feb1:399/ffff:ffff:ffff:ffff::
>         fe80::250:56ff:feb1:39a/ffff:ffff:ffff:ffff::
>
> Sudoers I/O plugin version 1.8.8



-- 
"Et le voilà qui s'envole ... Un des prototypes personnels de Dieu, un
mutant à l'énergie dense, jamais conçu pour la production en série,
trop bizarre pour vivre, et trop rare pour mourir..."



More information about the sudo-users mailing list