[sudo-users] avoid LDAP search sudoUser=+*

Michael Ströder michael at stroeder.com
Fri Feb 7 01:06:40 MST 2014

Todd C. Miller wrote:
> On Thu, 06 Feb 2014 22:39:03 +0100, =?ISO-8859-1?Q?Michael_Str=F6der?= wrote:
>> Not true. Otherwise I would not have raised this issue here.
>> On some systems with older sudo versions the sudoUser=+* is even sent
>> *before* the normal user/group query.
> I don't recall that ever being the case (though my memory is far
> from perfect), and I see nothing in the ChangeLog related to a bug
> like that.  It might be a something introduced by one of RedHat's
> patches.  They tend to create large patch sets instead of just
> updating packages.

I saw such a behaviour on RHEL5 and Debian Squeeze.

>> If you perform the netgroup query you have to use
>> (&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))
>> to get reasonable performance (provided there's present index for
>> 'sudoUser').  Otherwise sudo-ldap is a DoS tool because the LDAP
>> server has to check each entry and LDAP admins have to protect their
>> servers by setting time limits.
> Now I understand.  I thought you were proposing using a single query
> to fetch all sudoRole records instead.  I will make that change for
> the next sudo release.

Great. Thanks.

It would also be nice if the default for the SUDOERS_SEARCH_FILTER is
(objectClass=sudoRole) just in case people forgot to set an equality index for
'sudoUser' because most times 'objectClass' is eq-indexed anyway.

Ciao, Michael.

More information about the sudo-users mailing list