[sudo-users] ignore_local_sudoers does not work as expected
fabrice bessettes
fabrice.b7 at gmail.com
Thu Dec 5 14:15:31 MST 2013
Well, I think I find the problem :
I had this in /etc/nsswitch.conf :
# grep sudo /etc/nsswitch.conf
sudoers: files ldap
If I change it for :
sudoers: ldap files
Everything works as expected ...
Looks like the nsswitch sudoers order is a condition for "the
ignore_local_sudoers" option, am I right ?
thank you !
On Thu, Dec 5, 2013 at 3:05 PM, fabrice bessettes <fabrice.b7 at gmail.com> wrote:
> Hi list !
>
> I'm trying to integrate sudo into openLDAP in my organisation, which
> will be really great.
>
> The only issue i have is with the ignore_local_sudoers option.
>
> The man page says :
> ignore_local_sudoers
> If set via LDAP, parsing of /etc/sudoers will be skipped. This is
> intended for
> Enterprises that wish to prevent the usage of local sudoers files
> so that only LDAP
> is used. This thwarts the efforts of rogue operators who would
> attempt to add roles
> to /etc/sudoers. When this option is present, /etc/sudoers does
> not even need to
> exist. Since this option tells sudo how to behave when no specific
> LDAP entries have
> been matched, this sudoOption is only meaningful for the
> cn=defaults section. This
> flag is off by default.
>
> Looks great, I will need it, but I miss something, it's not working.
>
> Here is my default sudo role :
>
> [fbesset at server ~]$ ldapsearch -xZLLLD cn=BinddnAcct -H ldap://server
> -b ou=SUDOers,dc=unixdomain,dc=xxxxx,dc=com "(cn=defaults)" "*"
> dn: cn=defaults,ou=SUDOers,dc=UnixDomain,dc=xxxxx,dc=com
> description: Options globales a tous les roles
> objectClass: sudoRole
> objectClass: top
> cn: defaults
> sudoOption: ignore_local_sudoers
> sudoOption: env_reset
> sudoOption: requiretty
>
> When I try to use a local (in /etc/sudoers) sudo rule, it's still
> working (user fbesset as no right in my ldap sudo role) :
>
> [fbesset at server ~]$ /usr/local/bin/sudo su -
> sudo: LDAP Config Summary
> sudo: ===================
> sudo: uri ldap://server1.priv.xxxxxx.com
> ldap://server2.priv.xxxxxx.com
> sudo: ldap_version 3
> sudo: sudoers_base ou=SUDOers,dc=UnixDomain,dc=xxxxxx,dc=com
> sudo: binddn cn=BinddnAcct
> sudo: bindpw xxxxxx
> sudo: bind_timelimit 1
> sudo: timelimit 1
> sudo: ssl start_tls
> sudo: tls_checkpeer (no)
> sudo: tls_cacertdir /etc/openldap/cacerts
> sudo: ===================
> sudo: ldap_set_option: debug -> 0
> sudo: ldap_set_option: tls_checkpeer -> 0
> sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
> sudo: ldap_initialize(ld, ldap://server1.priv.xxxxx.com
> ldap://server2.priv.xxxxx.com)
> sudo: ldap_set_option: ldap_version -> 3
> sudo: ldap_set_option: timelimit -> 1
> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 1)
> sudo: ldap_start_tls_s() ok
> sudo: ldap_sasl_bind_s() ok
> sudo: Looking for cn=defaults: cn=defaults
> sudo: found:cn=defaults,ou=SUDOers,dc=UnixDomain,dc=xxxxxx,dc=com
> sudo: ldap sudoOption: 'ignore_local_sudoers'
> sudo: ldap sudoOption: 'env_reset'
> sudo: ldap sudoOption: 'requiretty'
> sudo: ldap search
> '(|(sudoUser=fbesset)(sudoUser=%unixadm)(sudoUser=%#502)(sudoUser=ALL))'
> sudo: searching from base 'ou=SUDOers,dc=UnixDomain,dc=xxxxx,dc=com'
> sudo: adding search result
> sudo: result now has 0 entries
> sudo: ldap search '(sudoUser=+*)'
> sudo: searching from base 'ou=SUDOers,dc=UnixDomain,dc=xxxxx,dc=com'
> sudo: adding search result
> sudo: result now has 0 entries
> sudo: sorting remaining 0 entries
> sudo: searching LDAP for sudoers entries
> sudo: done with LDAP searches
> sudo: user_matches=1
> sudo: host_matches=0
> sudo: sudo_ldap_lookup(0)=0x02
> sudo: removing reusable search result
> [root at server ~]# id
> uid=0(root) gid=0(root)
> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
>
>
> I'm working with RHEL 5, I first thought it was a RH package problem,
> so I compiled the last stable release and got the same behavior.
> Here is the details of my local sudo install, where I can see the "If
> LDAP directory is up, do we ignore local sudoers file" option set.
> Any idea what I'm missing ?
>
> Thank you!
>
> Fabrice Bessettes
>
> Sudo version 1.8.8
> Configure options: --with-ldap
> sudo: LDAP Config Summary
> sudo: ===================
> sudo: uri ldap://server1.priv.xxxxxx.com
> ldap://server2.priv.xxxxx.com
> sudo: ldap_version 3
> sudo: sudoers_base ou=SUDOers,dc=UnixDomain,dc=xxxxx,dc=com
> sudo: binddn cn=BinddnAcct,ou=InternalAccount,dc=xxxxx,dc=com
> sudo: bindpw xxxxxx
> sudo: bind_timelimit 1
> sudo: timelimit 1
> sudo: ssl start_tls
> sudo: tls_checkpeer (no)
> sudo: tls_cacertdir /etc/openldap/cacerts
> sudo: ===================
> sudo: ldap_set_option: debug -> 0
> sudo: ldap_set_option: tls_checkpeer -> 0
> sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
> sudo: ldap_initialize(ld, ldap://server1.priv.xxxxx.com
> ldap://server2.priv.xxxxx.com)
> sudo: ldap_set_option: ldap_version -> 3
> sudo: ldap_set_option: timelimit -> 1
> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 1)
> sudo: ldap_start_tls_s() ok
> sudo: ldap_sasl_bind_s() ok
> sudo: Looking for cn=defaults: cn=defaults
> sudo: found:cn=defaults,ou=SUDOers,dc=UnixDomain,dc=xxxxx,dc=com
> sudo: ldap sudoOption: 'ignore_local_sudoers'
> sudo: ldap sudoOption: 'env_reset'
> sudo: ldap sudoOption: 'requiretty'
> Sudoers policy plugin version 1.8.8
> Sudoers file grammar version 43
>
> Sudoers path: /etc/sudoers
> nsswitch path: /etc/nsswitch.conf
> ldap.conf path: /etc/ldap.conf
> ldap.secret path: /etc/ldap.secret
> Authentication methods: 'pam'
> Syslog facility if syslog is being used for logging: authpriv
> Syslog priority to use when user authenticates successfully: notice
> Syslog priority to use when user authenticates unsuccessfully: alert
> Send mail if the user is not in sudoers
> Use a separate timestamp for each user/tty combo
> Lecture user the first time they run sudo
> Require users to authenticate by default
> Root may run sudo
> Allow some information gathering to give useful error messages
> Insult the user when they enter an incorrect password
> Only allow the user to run sudo if they have a tty
> Set the LOGNAME and USER environment variables
> Length at which to wrap log file lines (0 for no wrap): 80
> Authentication timestamp timeout: 5.0 minutes
> Password prompt timeout: 5.0 minutes
> Number of tries to enter a password: 3
> Umask to use or 0777 to use user's: 022
> Path to mail program: /usr/sbin/sendmail
> Flags for mail program: -t
> Address to send mail to: root
> Subject line for mail messages: *** SECURITY information for %h ***
> Incorrect password message: Sorry, try again.
> Path to authentication timestamp dir: /var/db/sudo
> Default password prompt: Password:
> Default user to run commands as: root
> Path to the editor for use by visudo: /bin/vi
> When to require a password for 'list' pseudocommand: any
> When to require a password for 'verify' pseudocommand: all
> If LDAP directory is up, do we ignore local sudoers file
> File descriptors >= 3 will be closed before executing a command
> Reset the environment to a default set of variables
> Environment variables to check for sanity:
> TERM
> LINGUAS
> LC_*
> LANGUAGE
> LANG
> COLORTERM
> Environment variables to remove:
> RUBYOPT
> RUBYLIB
> PYTHONUSERBASE
> PYTHONINSPECT
> PYTHONPATH
> PYTHONHOME
> TMPPREFIX
> ZDOTDIR
> READNULLCMD
> NULLCMD
> FPATH
> PERL5DB
> PERL5OPT
> PERL5LIB
> PERLLIB
> PERLIO_DEBUG
> JAVA_TOOL_OPTIONS
> SHELLOPTS
> GLOBIGNORE
> PS4
> BASH_ENV
> ENV
> TERMCAP
> TERMPATH
> TERMINFO_DIRS
> TERMINFO
> _RLD*
> LD_*
> PATH_LOCALE
> NLSPATH
> HOSTALIASES
> RES_OPTIONS
> LOCALDOMAIN
> CDPATH
> IFS
> Environment variables to preserve:
> XAUTHORITY
> _XKB_CHARSET
> LINGUAS
> LANGUAGE
> LC_ALL
> LC_TIME
> LC_TELEPHONE
> LC_PAPER
> LC_NUMERIC
> LC_NAME
> LC_MONETARY
> LC_MESSAGES
> LC_MEASUREMENT
> LC_IDENTIFICATION
> LC_COLLATE
> LC_CTYPE
> LC_ADDRESS
> LANG
> USERNAME
> QTDIR
> PS2
> PS1
> MAIL
> LS_COLORS
> KDEDIR
> INPUTRC
> HISTSIZE
> HOSTNAME
> DISPLAY
> COLORS
> Locale to use while parsing sudoers: C
> Compress I/O logs using zlib
> Directory in which to store input/output logs: /var/log/sudo-io
> File in which to store the input/output log: %{seq}
> Add an entry to the utmp/utmpx file when allocating a pty
> PAM service name to use
> PAM service name to use for login shells
> Create a new PAM session for the command to run in
> Maximum I/O log sequence number
>
> Local IP address and netmask pairs:
> 10.255.32.67/255.255.254.0
> 10.247.90.34/255.255.252.0
> fe80::250:56ff:feb1:399/ffff:ffff:ffff:ffff::
> fe80::250:56ff:feb1:39a/ffff:ffff:ffff:ffff::
>
> Sudoers I/O plugin version 1.8.8
--
"Et le voilà qui s'envole ... Un des prototypes personnels de Dieu, un
mutant à l'énergie dense, jamais conçu pour la production en série,
trop bizarre pour vivre, et trop rare pour mourir..."
More information about the sudo-users
mailing list