[sudo-users] sudo + sssd backend on FreeBSD 10.3 client

Miller, Vincent (Rick) vmiller at verisign.com
Wed Feb 21 04:16:57 MST 2018 

Hi Todd,

Thanks for the reply and assistance, it is appreciated.

-- 
Vincent (Rick) Miller
UNIX Systems Engineer
vmiller at verisign.com
 
-----Original Message-----
From: "Todd C. Miller" <Todd.Miller at sudo.ws>
Date: Tuesday, February 20, 2018 at 4:09 PM
To: Rick Miller <vmiller at verisign.com>
Cc: "sudo-users at sudo.ws" <sudo-users at sudo.ws>
Subject: [EXTERNAL] Re: [sudo-users] sudo + sssd backend on FreeBSD 10.3 client

    All the netgroup lookups appear to be for "netgroup" followed by a
    number and they are used in a host context.  That leads me to believe
    these are sss host groups being shadowed as netgroups by FreeIPA.
    
    From the debug output at least some of the netgroups are matching
    so presumably they are required.  It is possible to disable netgroup
    lookups in sudo via the "use_netgroups" setting in sudoers but I
    suspect that would prevent things from working.

This wouldn’t be expected to work (as you allude to), but I will test it.
    
    If you want to try anyway, a line like the following in /etc/sudoers
    should do it:
    
    Defaults !use_netgroups
    
    For this to be effective, the sudoers entry in /etc/nsswitch.conf
    will need to list "files" before "sss".
    
    I'm afraid there's not much sudo can do about the slow netgroup
    lookups.  FreeBSD's file-based netgroup lookup code appears to open
    and close the file with each lookup.  Sudo is just using the innetgr()
    C library function to check for netgroup membership and the FreeBSD
    implementation parses the entire netgroup file for each lookup.
    Sudo doesn't open or parse the netgroup file directly.  Ultimately,
    this is a FreeBSD problem.

    Putting the netgroup database in a local NIS server would probably
    be quite a bit faster.

This occurred to me later while pondering it. I had not considered a local NIS server, but the customer is unlikely to be amenable to that. However, /etc/netgroup can be trimmed to improve performance. innetgr() is iterating 10s of thousands of lines here when it’s most likely only a handful will match.
    
    I think I can improve the group file situation slightly.  FreeBSD
    has a way to hint to the group lookup functions that the group file
    should be kept open instead of closing it after each lookup.
    Unfortunately, there's no way to do that with netgroups.


    
     - todd

More information about the sudo-users mailing list