[sudo-users] sudo + sssd backend on FreeBSD 10.3 client
Miller, Vincent (Rick)
vmiller at verisign.com
Wed Feb 21 04:16:57 MST 2018
Thanks for the reply and assistance, it is appreciated.
Vincent (Rick) Miller
UNIX Systems Engineer
vmiller at verisign.com
From: "Todd C. Miller" <Todd.Miller at sudo.ws>
Date: Tuesday, February 20, 2018 at 4:09 PM
To: Rick Miller <vmiller at verisign.com>
Cc: "sudo-users at sudo.ws" <sudo-users at sudo.ws>
Subject: [EXTERNAL] Re: [sudo-users] sudo + sssd backend on FreeBSD 10.3 client
All the netgroup lookups appear to be for "netgroup" followed by a
number and they are used in a host context. That leads me to believe
these are sss host groups being shadowed as netgroups by FreeIPA.
From the debug output at least some of the netgroups are matching
so presumably they are required. It is possible to disable netgroup
lookups in sudo via the "use_netgroups" setting in sudoers but I
suspect that would prevent things from working.
This wouldn’t be expected to work (as you allude to), but I will test it.
If you want to try anyway, a line like the following in /etc/sudoers
should do it:
For this to be effective, the sudoers entry in /etc/nsswitch.conf
will need to list "files" before "sss".
I'm afraid there's not much sudo can do about the slow netgroup
lookups. FreeBSD's file-based netgroup lookup code appears to open
and close the file with each lookup. Sudo is just using the innetgr()
C library function to check for netgroup membership and the FreeBSD
implementation parses the entire netgroup file for each lookup.
Sudo doesn't open or parse the netgroup file directly. Ultimately,
this is a FreeBSD problem.
Putting the netgroup database in a local NIS server would probably
be quite a bit faster.
This occurred to me later while pondering it. I had not considered a local NIS server, but the customer is unlikely to be amenable to that. However, /etc/netgroup can be trimmed to improve performance. innetgr() is iterating 10s of thousands of lines here when it’s most likely only a handful will match.
I think I can improve the group file situation slightly. FreeBSD
has a way to hint to the group lookup functions that the group file
should be kept open instead of closing it after each lookup.
Unfortunately, there's no way to do that with netgroups.
More information about the sudo-users