[sudo-users] sudo-users Digest, Vol 146, Issue 2

Andy West andy.west at oracle.com
Mon Mar 2 10:18:38 MST 2015 

Hi Todd,

I just got back to this.  Thank you for the clarification.

Rgds,

Andy West


On 02/02/2015 12:00 PM, sudo-users-request at sudo.ws wrote:
> Send sudo-users mailing list submissions to
> 	sudo-users at sudo.ws
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://www.sudo.ws/mailman/listinfo/sudo-users
> or, via email, send a message with subject or body 'help' to
> 	sudo-users-request at sudo.ws
>
> You can reach the person managing the list at
> 	sudo-users-owner at sudo.ws
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of sudo-users digest..."
>
>
> Today's Topics:
>
>     1. Re: sudo-users question: bug 678 (Todd C. Miller)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 02 Feb 2015 11:23:54 -0700
> From: "Todd C. Miller" <Todd.Miller at courtesan.com>
> To: Andy West <andy.west at oracle.com>
> Cc: sudo-users at sudo.ws
> Subject: Re: [sudo-users] sudo-users question: bug 678
> Message-ID: <mailman.2.1422903602.25441.sudo-users at sudo.ws>
> Content-Type: text/plain; charset="us-ascii"
>
> On Tue, 27 Jan 2015 16:39:08 -0700, Andy West wrote:
>
>> Does bug 678 have any impact on LDAP-based sudo policies?  I am using
>> sudo attributes set as "sudoOption: fqdn", and "sudoHost:
>> [name.example.com]" and  have not seen any issues similar to what was
>> described in the bug, but I still wanted to confirm.   I implemented
>> "sudoOption: fqdn" strictly to disallow use of short host names to make
>> the solution a bit more secure.
> The fqdn option does not disallow the use of short host names.  It
> just resolves the system's hostname (usually via /etc/hosts or DNS)
> in order to get the fully-qualified name if the system hostname is
> not already fully-qualified.
>
> Bug #678 only affects sudo 1.8.8 through 1.8.11p2.
> Furthermore, it would only cause problems in the global defaults
> entry.  For example:
>
>      dn: cn=defaults,ou=SUDOers,dc=example,dc=com
>      objectClass: top
>      objectClass: sudoRole
>      cn: defaults
>      description: Default sudoOption's go here
>      sudoOption: fqdn
>
> Setting fqdn in the individual sudoRole object has no effect because
> matching is performed before the sudoOptions for that sudoRole are
> applied.
>
>   - todd
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
> ------------------------------
>
> End of sudo-users Digest, Vol 146, Issue 2
> ******************************************

More information about the sudo-users mailing list