[sudo-users] sudo 1.9.5p2 ignores NOPASSWD rules

Ralph Meier ralph.meier at merckgroup.com
Fri Jan 29 01:31:28 MST 2021 

Thanks Todd !

After resolving some syncing issues of our LDAP servers I found there is a second rule:

LDAP Role: os_viocheck_xxxde
    RunAsUsers: root
    Options: !authenticate
    Commands:
        ALL

LDAP Role: os_all_allch
    RunAsUsers: ALL
    Commands:
        ALL

Does this second rule without "!authenticate" overwrite the previous one because
they are just evaluated in the order the ldap server delivers them ? Is there a way to
priorize a rule ?

Best Regards
Ralph

-----Ursprüngliche Nachricht-----
Von: Todd C. Miller <Todd.Miller at sudo.ws>
Gesendet: Donnerstag, 28. Januar 2021 19:59
An: Ralph Meier <ralph.meier at merckgroup.com>
Cc: sudo-users at sudo.ws
Betreff: Re: AW: [sudo-users] sudo 1.9.5p2 ignores NOPASSWD rules

[WARNING – EXTERNAL EMAIL] Do not open links or attachments unless you recognize the sender of this email. If you are unsure please click the button "Report suspicious email"


I haven't been able to reproduce this problem.  This is what I see using a test user:

$ sudo -k id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)

$ sudo -l
Matching Defaults entries for testdude on xerxes:
    ignore_local_sudoers, listpw=never, syslog=auth, !env_reset, passprompt="%u
    password :", badpass_message="Wrong password :"

User testdude may run the following commands on xerxes:
    (root) NOPASSWD: ALL

$ sudo -ll
Matching Defaults entries for testdude on xerxes:
    ignore_local_sudoers, listpw=never, syslog=auth, !env_reset, passprompt="%u
    password :", badpass_message="Wrong password :"

User testdude may run the following commands on xerxes:

LDAP Role: testdude
    RunAsUsers: root
    Options: !authenticate
    Commands:
        ALL

My LDIF looks like this:

# testdude, sudoers, sudo.ws
dn: cn=testdude,ou=sudoers,dc=sudo,dc=ws
objectClass: top
objectClass: sudoRole
cn: testdude
sudoUser: testdude
sudoRunAs: root
sudoHost: ALL
sudoCommand: ALL
sudoOption: !authenticate

# defaults, sudoers, sudo.ws
dn: cn=defaults,ou=sudoers,dc=sudo,dc=ws
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: ignore_local_sudoers
sudoOption: listpw=never
sudoOption: syslog=auth
sudoOption: !env_reset
sudoOption: passprompt="%u password :"
sudoOption: badpass_message="Wrong password :"


This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you must not copy this message or attachment or disclose the contents to any other person. If you have received this transmission in error, please notify the sender immediately and delete the message and any attachment from your system. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not accept liability for any omissions or errors in this message which may arise as a result of E-Mail-transmission or for damages resulting from any unauthorized changes of the content of this message and any attachment thereto. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not guarantee that this message is free of viruses and does not accept liability for any damages caused by any virus transmitted therewith.



Click http://www.merckgroup.com/disclaimer to access the German, French, Spanish and Portuguese versions of this disclaimer.

More information about the sudo-users mailing list