[sudo-users] avoid LDAP search sudoUser=+*

Todd C. Miller Todd.Miller at courtesan.com
Thu Feb 6 15:45:40 MST 2014

On Thu, 06 Feb 2014 22:39:03 +0100, =?ISO-8859-1?Q?Michael_Str=F6der?= wrote:

> Not true. Otherwise I would not have raised this issue here.
> On some systems with older sudo versions the sudoUser=+* is even sent
> *before* the normal user/group query.

I don't recall that ever being the case (though my memory is far
from perfect), and I see nothing in the ChangeLog related to a bug
like that.  It might be a something introduced by one of RedHat's
patches.  They tend to create large patch sets instead of just
updating packages.

> If you perform the netgroup query you have to use
> (&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))
> to get reasonable performance (provided there's present index for
> 'sudoUser').  Otherwise sudo-ldap is a DoS tool because the LDAP
> server has to check each entry and LDAP admins have to protect their
> servers by setting time limits.

Now I understand.  I thought you were proposing using a single query
to fetch all sudoRole records instead.  I will make that change for
the next sudo release.

 - todd

More information about the sudo-users mailing list