[sudo-users] Warning email when listing sudo perms

Paul Cantle paul at cantle.me
Wed Dec 2 14:55:13 MST 2015

I’m not sure that will work, because earlier, the sudoCommand was populated (when I discovered the issue).

I’m testing as I type and it’s failed.

Dec  2 21:49:37 sudo[24885] sudo_sss_lookup(52)=0x62

The thing is, the root user is of course local and there’s no root user in LDAP. All other sudoRoles reference users or %groups that are LDAP groups so they work correctly. Even by modifying the root SudoRole container…would that actually have any affect on the local root user itself? As far as I’m aware, there’s nothing to tie them together (unless SSSD knows to “tie up” the local root user with any sodRole in LDAP SUDOers called “root”?).



On 02/12/2015, 21:24, "Todd C. Miller" <Todd.Miller at courtesan.com> wrote:

>On Wed, 02 Dec 2015 20:52:01 +0000, Paul Cantle wrote:
>> I already have a root sudoRole (apologies, I referenced it as a
>> "container" in my original email) and it was populated with some
>> sudoAttributes, etc. I have cleared all sudo*attributes from it and
>> restarted sssd.
>> Now it looks like this
>> sudoCommand = NULL
>> sudoHost = NULL
>> sudoNotAfter = NULL
>> sudoNotBefore = NULL
>> SudoOption = NULL
>> sudoOrder = NULL
>> sudoRunAs = NULL
>> sudoRunAsGroup = NULL
>> sudoRunAsUser = NULL
>> sudoUser = NULL
>> I executed a sudo -l (as root).
>> I still got the warning mail and the following still appears in the debug log
>> Dec  2 20:48:07 sudo[23093] sudo_sss_lookup(52)=0x62
>I guess the sssd backend is a bit more clever about ignoring roles
>with no command.  I suppose you could make the sudoCommand something
>innocuous like /usr/bin/true.
> - todd

More information about the sudo-users mailing list