[sudo-users] sudo change is behavior between RHEL6.5 and RHEL 6.6

SERIEYE, Yan yan.serieye at sfr.com
Thu May 26 10:38:12 MDT 2016


Hi,

We use sudo with SSSD in order to get sudo right that are stored in an active directory.

My user yserieye is Member of   a certain number of groups that begin with SUDO_*  and is Primary group is ING800 (GUID=10001).
SUDO_* group are not Unix group

In my Ldap Sudoers Rules I put sudoUser=%SUDO_XXXX.

On redhat 6.5 version of sudo is 1.8.6p3, it worked fine my user yserieye matches the Rules where  sudoUser is a  group he belongs to.

But since redhat 6.6 which use the same version with a few patch it doesn't work any more.

It seems to be caused by this patch :

diff -up sudo-1.8.6p3/plugins/sudoers/sssd.c.netgrfilterfix sudo-1.8.6p3/plugins/sudoers/sssd.c
--- sudo-1.8.6p3/plugins/sudoers/sssd.c.netgrfilterfix  2014-07-30 13:29:47.713823996 +0200
+++ sudo-1.8.6p3/plugins/sudoers/sssd.c          2014-07-30 13:30:08.917436088 +0200
@@ -614,16 +615,13 @@ sudo_sss_check_host(struct sudo_sss_hand
}
 /*
- * Look for netgroup specifcations in the sudoUser attribute and
- * if found, filter according to netgroup membership.
- *  returns:
- *   true -> netgroup spec found && negroup member
- *  false -> netgroup spec found && not a meber of netgroup
- *   true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception)
+ * SSSD doesn't handle netgroups, we have to ensure they are correctly filtered
+ * in sudo. The rules may contain mixed sudoUser specification so we have to check
+ * not only for netgroup membership but also for user and group matches.
  */
-bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
+bool sudo_sss_filter_sudoUser(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
{
-              bool ret = false, netgroup_spec_found = false;
+             bool ret = false;
               char **val_array, *val;
               int i;
               debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD);
@@ -641,21 +639,48 @@ bool sudo_sss_filter_user_netgroup(struc
                                              sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");
                                              debug_return_bool(ret);
               }
-
+             /*
+             * Scan sudoUser values and look for netgroup specs.
+             * Netgroup-only rule specification should be filtered
+             * out if the user isn't member of any specified netgroup.
+             */
               for (i = 0; val_array[i] != NULL && !ret; ++i) {
                              val = val_array[i];
-                              if (*val == '+') {
-                                             netgroup_spec_found = true;
-                              }
                              sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
-                              if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, user_name)) {
-                                             ret = true;
-                                             sudo_debug_printf(SUDO_DEBUG_DIAG,
-                                                               "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name);
+                             if (*val == '+') {
+                                            /* Netgroup spec found, check netgroup membership */
+                                            if (netgr_matches(val, NULL, NULL, handle->pw->pw_name)) {
+                                                            ret = true;
+                                                            sudo_debug_printf(SUDO_DEBUG_DIAG,
+                                                                                             "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, handle->pw->pw_name);
+                                            }
+                             } else {
+                                            /*
+                                            * Non-netgroup sudoUser value
+                                            */
+                                            if (strcmp(val, "ALL") == 0) {
+                                                            ret = true;
+                                            } else {
+                                                            const char *match_val = (*val == '!' ? val + 1 : val);
+                                                            const bool negated = (*val == '!' ? true : false);
+                                                            const bool group_spec = (*match_val == '%' ? true : false);
+
+                                                            if (group_spec) {
+                                                                            if (usergr_matches(match_val,
+                                                                                                              handle->pw->pw_name, handle->pw)) {
+                                                                                           ret = !negated;
+                                                                            }
+                                                            } else {
+                                                                            if (userpw_matches(match_val,
+                                                                                                              handle->pw->pw_name, handle->pw)) {
+                                                                                           ret = !negated;
+                                                                            }
+                                                            }
+                                            }
                              }
               }
               handle->fn_free_values(val_array);
-              debug_return_bool(netgroup_spec_found ? ret : true);
+             debug_return_bool(ret);
}
 static int
@@ -666,7 +691,7 @@ sudo_sss_result_filterp(struct sudo_sss_
     debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);
     if (sudo_sss_check_host(handle, rule) &&
-        sudo_sss_filter_user_netgroup(handle, rule))
+        sudo_sss_filter_sudoUser(handle, rule))
               debug_return_int(1);
     else
               debug_return_int(0);

so now I don't really know what I should change in my configuration to make it work :

-          changing %SUDO_ to +SUDO_ and convert my group into netgroup

-           using a plugin group (but I didn't really understand how it work).



Yan





More information about the sudo-users mailing list