[sudo-users] ignore_local_sudoers does not work as expected

Choure, Sidd schoure at apartments.com
Fri Dec 6 09:39:21 MST 2013


Hi,
If you really don¹t want to use local sudo, you can just use
sudoers: ldap

Take out the file.

Siddharth Choure
Senior Systems Engineer
 







On 12/5/13, 3:15 PM, "fabrice bessettes" <fabrice.b7 at gmail.com> wrote:

>Well, I think I find the problem :
>
>I had this in /etc/nsswitch.conf :
># grep sudo /etc/nsswitch.conf
>sudoers:  files ldap
>
>If I change it for :
>sudoers:  ldap files
>
>Everything works as expected ...
>
>Looks like the nsswitch sudoers order is a condition for "the
>ignore_local_sudoers" option, am I right ?
>
>thank you !
>
>
>
>
>
>
>
>On Thu, Dec 5, 2013 at 3:05 PM, fabrice bessettes <fabrice.b7 at gmail.com>
>wrote:
>> Hi list !
>>
>> I'm trying to integrate sudo into openLDAP in my organisation, which
>> will be really great.
>>
>> The only issue i have is with the ignore_local_sudoers option.
>>
>> The man page says :
>> ignore_local_sudoers
>>     If set via LDAP, parsing of /etc/sudoers will be skipped.  This is
>> intended for
>>     Enterprises that wish to prevent the usage of local sudoers files
>> so that only LDAP
>>     is used.  This thwarts the efforts of rogue operators who would
>> attempt to add roles
>>     to /etc/sudoers.  When this option is present, /etc/sudoers does
>> not even need to
>>     exist. Since this option tells sudo how to behave when no specific
>> LDAP entries have
>>     been matched, this sudoOption is only meaningful for the
>> cn=defaults section.  This
>>     flag is off by default.
>>
>> Looks great, I will need it, but I miss something, it's not working.
>>
>> Here is my default sudo role :
>>
>> [fbesset at server ~]$ ldapsearch -xZLLLD cn=BinddnAcct -H ldap://server
>> -b ou=SUDOers,dc=unixdomain,dc=xxxxx,dc=com "(cn=defaults)" "*"
>> dn: cn=defaults,ou=SUDOers,dc=UnixDomain,dc=xxxxx,dc=com
>> description: Options globales a tous les roles
>> objectClass: sudoRole
>> objectClass: top
>> cn: defaults
>> sudoOption: ignore_local_sudoers
>> sudoOption: env_reset
>> sudoOption: requiretty
>>
>> When I try to use a local (in /etc/sudoers) sudo rule, it's still
>> working (user fbesset as no right in my ldap sudo role) :
>>
>> [fbesset at server ~]$ /usr/local/bin/sudo su -
>> sudo: LDAP Config Summary
>> sudo: ===================
>> sudo: uri              ldap://server1.priv.xxxxxx.com
>> ldap://server2.priv.xxxxxx.com
>> sudo: ldap_version     3
>> sudo: sudoers_base     ou=SUDOers,dc=UnixDomain,dc=xxxxxx,dc=com
>> sudo: binddn           cn=BinddnAcct
>> sudo: bindpw           xxxxxx
>> sudo: bind_timelimit   1
>> sudo: timelimit        1
>> sudo: ssl              start_tls
>> sudo: tls_checkpeer    (no)
>> sudo: tls_cacertdir    /etc/openldap/cacerts
>> sudo: ===================
>> sudo: ldap_set_option: debug -> 0
>> sudo: ldap_set_option: tls_checkpeer -> 0
>> sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
>> sudo: ldap_initialize(ld, ldap://server1.priv.xxxxx.com
>> ldap://server2.priv.xxxxx.com)
>> sudo: ldap_set_option: ldap_version -> 3
>> sudo: ldap_set_option: timelimit -> 1
>> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 1)
>> sudo: ldap_start_tls_s() ok
>> sudo: ldap_sasl_bind_s() ok
>> sudo: Looking for cn=defaults: cn=defaults
>> sudo: found:cn=defaults,ou=SUDOers,dc=UnixDomain,dc=xxxxxx,dc=com
>> sudo: ldap sudoOption: 'ignore_local_sudoers'
>> sudo: ldap sudoOption: 'env_reset'
>> sudo: ldap sudoOption: 'requiretty'
>> sudo: ldap search
>> '(|(sudoUser=fbesset)(sudoUser=%unixadm)(sudoUser=%#502)(sudoUser=ALL))'
>> sudo: searching from base 'ou=SUDOers,dc=UnixDomain,dc=xxxxx,dc=com'
>> sudo: adding search result
>> sudo: result now has 0 entries
>> sudo: ldap search '(sudoUser=+*)'
>> sudo: searching from base 'ou=SUDOers,dc=UnixDomain,dc=xxxxx,dc=com'
>> sudo: adding search result
>> sudo: result now has 0 entries
>> sudo: sorting remaining 0 entries
>> sudo: searching LDAP for sudoers entries
>> sudo: done with LDAP searches
>> sudo: user_matches=1
>> sudo: host_matches=0
>> sudo: sudo_ldap_lookup(0)=0x02
>> sudo: removing reusable search result
>> [root at server ~]# id
>> uid=0(root) gid=0(root)
>> groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
>>
>>
>> I'm working with RHEL 5, I first thought it was a RH package problem,
>> so I compiled the last stable release and got the same behavior.
>> Here is the details of my local sudo install, where I can see the "If
>> LDAP directory is up, do we ignore local sudoers file" option set.
>> Any idea what I'm missing ?
>>
>> Thank you!
>>
>> Fabrice Bessettes
>>
>> Sudo version 1.8.8
>> Configure options: --with-ldap
>> sudo: LDAP Config Summary
>> sudo: ===================
>> sudo: uri              ldap://server1.priv.xxxxxx.com
>> ldap://server2.priv.xxxxx.com
>> sudo: ldap_version     3
>> sudo: sudoers_base     ou=SUDOers,dc=UnixDomain,dc=xxxxx,dc=com
>> sudo: binddn           cn=BinddnAcct,ou=InternalAccount,dc=xxxxx,dc=com
>> sudo: bindpw           xxxxxx
>> sudo: bind_timelimit   1
>> sudo: timelimit        1
>> sudo: ssl              start_tls
>> sudo: tls_checkpeer    (no)
>> sudo: tls_cacertdir    /etc/openldap/cacerts
>> sudo: ===================
>> sudo: ldap_set_option: debug -> 0
>> sudo: ldap_set_option: tls_checkpeer -> 0
>> sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
>> sudo: ldap_initialize(ld, ldap://server1.priv.xxxxx.com
>> ldap://server2.priv.xxxxx.com)
>> sudo: ldap_set_option: ldap_version -> 3
>> sudo: ldap_set_option: timelimit -> 1
>> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 1)
>> sudo: ldap_start_tls_s() ok
>> sudo: ldap_sasl_bind_s() ok
>> sudo: Looking for cn=defaults: cn=defaults
>> sudo: found:cn=defaults,ou=SUDOers,dc=UnixDomain,dc=xxxxx,dc=com
>> sudo: ldap sudoOption: 'ignore_local_sudoers'
>> sudo: ldap sudoOption: 'env_reset'
>> sudo: ldap sudoOption: 'requiretty'
>> Sudoers policy plugin version 1.8.8
>> Sudoers file grammar version 43
>>
>> Sudoers path: /etc/sudoers
>> nsswitch path: /etc/nsswitch.conf
>> ldap.conf path: /etc/ldap.conf
>> ldap.secret path: /etc/ldap.secret
>> Authentication methods: 'pam'
>> Syslog facility if syslog is being used for logging: authpriv
>> Syslog priority to use when user authenticates successfully: notice
>> Syslog priority to use when user authenticates unsuccessfully: alert
>> Send mail if the user is not in sudoers
>> Use a separate timestamp for each user/tty combo
>> Lecture user the first time they run sudo
>> Require users to authenticate by default
>> Root may run sudo
>> Allow some information gathering to give useful error messages
>> Insult the user when they enter an incorrect password
>> Only allow the user to run sudo if they have a tty
>> Set the LOGNAME and USER environment variables
>> Length at which to wrap log file lines (0 for no wrap): 80
>> Authentication timestamp timeout: 5.0 minutes
>> Password prompt timeout: 5.0 minutes
>> Number of tries to enter a password: 3
>> Umask to use or 0777 to use user's: 022
>> Path to mail program: /usr/sbin/sendmail
>> Flags for mail program: -t
>> Address to send mail to: root
>> Subject line for mail messages: *** SECURITY information for %h ***
>> Incorrect password message: Sorry, try again.
>> Path to authentication timestamp dir: /var/db/sudo
>> Default password prompt: Password:
>> Default user to run commands as: root
>> Path to the editor for use by visudo: /bin/vi
>> When to require a password for 'list' pseudocommand: any
>> When to require a password for 'verify' pseudocommand: all
>> If LDAP directory is up, do we ignore local sudoers file
>> File descriptors >= 3 will be closed before executing a command
>> Reset the environment to a default set of variables
>> Environment variables to check for sanity:
>>         TERM
>>         LINGUAS
>>         LC_*
>>         LANGUAGE
>>         LANG
>>         COLORTERM
>> Environment variables to remove:
>>         RUBYOPT
>>         RUBYLIB
>>         PYTHONUSERBASE
>>         PYTHONINSPECT
>>         PYTHONPATH
>>         PYTHONHOME
>>         TMPPREFIX
>>         ZDOTDIR
>>         READNULLCMD
>>         NULLCMD
>>         FPATH
>>         PERL5DB
>>         PERL5OPT
>>         PERL5LIB
>>         PERLLIB
>>         PERLIO_DEBUG
>>         JAVA_TOOL_OPTIONS
>>         SHELLOPTS
>>         GLOBIGNORE
>>         PS4
>>         BASH_ENV
>>         ENV
>>         TERMCAP
>>         TERMPATH
>>         TERMINFO_DIRS
>>         TERMINFO
>>         _RLD*
>>         LD_*
>>         PATH_LOCALE
>>         NLSPATH
>>         HOSTALIASES
>>         RES_OPTIONS
>>         LOCALDOMAIN
>>         CDPATH
>>         IFS
>> Environment variables to preserve:
>>         XAUTHORITY
>>         _XKB_CHARSET
>>         LINGUAS
>>         LANGUAGE
>>         LC_ALL
>>         LC_TIME
>>         LC_TELEPHONE
>>         LC_PAPER
>>         LC_NUMERIC
>>         LC_NAME
>>         LC_MONETARY
>>         LC_MESSAGES
>>         LC_MEASUREMENT
>>         LC_IDENTIFICATION
>>         LC_COLLATE
>>         LC_CTYPE
>>         LC_ADDRESS
>>         LANG
>>         USERNAME
>>         QTDIR
>>         PS2
>>         PS1
>>         MAIL
>>         LS_COLORS
>>         KDEDIR
>>         INPUTRC
>>         HISTSIZE
>>         HOSTNAME
>>         DISPLAY
>>         COLORS
>> Locale to use while parsing sudoers: C
>> Compress I/O logs using zlib
>> Directory in which to store input/output logs: /var/log/sudo-io
>> File in which to store the input/output log: %{seq}
>> Add an entry to the utmp/utmpx file when allocating a pty
>> PAM service name to use
>> PAM service name to use for login shells
>> Create a new PAM session for the command to run in
>> Maximum I/O log sequence number
>>
>> Local IP address and netmask pairs:
>>         10.255.32.67/255.255.254.0
>>         10.247.90.34/255.255.252.0
>>         fe80::250:56ff:feb1:399/ffff:ffff:ffff:ffff::
>>         fe80::250:56ff:feb1:39a/ffff:ffff:ffff:ffff::
>>
>> Sudoers I/O plugin version 1.8.8
>
>
>
>-- 
>"Et le voilà qui s'envole ... Un des prototypes personnels de Dieu, un
>mutant à l'énergie dense, jamais conçu pour la production en série,
>trop bizarre pour vivre, et trop rare pour mourir..."
>
>____________________________________________________________
>sudo-users mailing list <sudo-users at sudo.ws>
>For list information, options, or to unsubscribe, visit:
>http://www.sudo.ws/mailman/listinfo/sudo-users




More information about the sudo-users mailing list