[sudo-users] sudo-users question: bug 678

Todd C. Miller Todd.Miller at courtesan.com
Mon Feb 2 11:23:54 MST 2015


On Tue, 27 Jan 2015 16:39:08 -0700, Andy West wrote:

> Does bug 678 have any impact on LDAP-based sudo policies?  I am using 
> sudo attributes set as "sudoOption: fqdn", and "sudoHost: 
> [name.example.com]" and  have not seen any issues similar to what was 
> described in the bug, but I still wanted to confirm.   I implemented 
> "sudoOption: fqdn" strictly to disallow use of short host names to make 
> the solution a bit more secure.

The fqdn option does not disallow the use of short host names.  It
just resolves the system's hostname (usually via /etc/hosts or DNS)
in order to get the fully-qualified name if the system hostname is
not already fully-qualified.

Bug #678 only affects sudo 1.8.8 through 1.8.11p2.
Furthermore, it would only cause problems in the global defaults
entry.  For example:

    dn: cn=defaults,ou=SUDOers,dc=example,dc=com
    objectClass: top
    objectClass: sudoRole
    cn: defaults
    description: Default sudoOption's go here
    sudoOption: fqdn

Setting fqdn in the individual sudoRole object has no effect because
matching is performed before the sudoOptions for that sudoRole are
applied.

 - todd


More information about the sudo-users mailing list