[sudo-users] sudo 1.9.5p2 ignores NOPASSWD rules

Ralph Meier ralph.meier at merckgroup.com
Fri Jan 29 02:22:54 MST 2021 

Unfortunately our LDAP server (OID) does not allow adding the sudoOrder attribute.
I will check with the LDAP admins if the can extend the schema.

Best Regards
Ralph

Von: Daniele Palumbo <daniele.palumbo_v-tservices at it.ibm.com>
Gesendet: Freitag, 29. Januar 2021 10:09
An: Ralph Meier <ralph.meier at merckgroup.com>
Cc: sudo-users at sudo.ws; Todd.Miller at sudo.ws
Betreff: RE: [sudo-users] sudo 1.9.5p2 ignores NOPASSWD rules


[WARNING – EXTERNAL EMAIL] Do not open links or attachments unless you recognize the sender of this email. If you are unsure please click the button "Report suspicious email"

Hey Ralph,

If i'm not wrong,

The way to prioritize a rule is via sudoOrder
https://www.sudo.ws/man/1.9.5/sudoers.ldap.man.html#sudoOrder

The last match is used in sudo
https://www.sudo.ws/man/1.9.5/sudoers.man.html#SUDOERS_FILE_FORMAT

you can always use sudo -l to see the rules applied.

HTH,
…………………………….
Daniele Palumbo
Global IBM Sudo Technical Lead
Linux Technical Lead -- COE Linux Services
+39.0454640093
+39.3387220799
daniele.palumbo_v-tservices at it.ibm.com<mailto:daniele.palumbo_v-tservices at it.ibm.com>
Value Transformation Services SpA
Via Monte Bianco, 18
37132, Verona - Italy
………………………………


----- Original message -----
From: Ralph Meier <ralph.meier at merckgroup.com<mailto:ralph.meier at merckgroup.com>>
Sent by: "sudo-users" <sudo-users-bounces at sudo.ws<mailto:sudo-users-bounces at sudo.ws>>
To: "Todd C. Miller" <Todd.Miller at sudo.ws<mailto:Todd.Miller at sudo.ws>>
Cc: "sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>" <sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>>
Subject: [EXTERNAL] Re: [sudo-users] sudo 1.9.5p2 ignores NOPASSWD rules
Date: Fri, Jan 29, 2021 09:32

Thanks Todd !

After resolving some syncing issues of our LDAP servers I found there is a second rule:

LDAP Role: os_viocheck_xxxde
    RunAsUsers: root
    Options: !authenticate
    Commands:
        ALL

LDAP Role: os_all_allch
    RunAsUsers: ALL
    Commands:
        ALL

Does this second rule without "!authenticate" overwrite the previous one because
they are just evaluated in the order the ldap server delivers them ? Is there a way to
priorize a rule ?

Best Regards
Ralph

-----Ursprüngliche Nachricht-----
Von: Todd C. Miller <Todd.Miller at sudo.ws<mailto:Todd.Miller at sudo.ws>>
Gesendet: Donnerstag, 28. Januar 2021 19:59
An: Ralph Meier <ralph.meier at merckgroup.com<mailto:ralph.meier at merckgroup.com>>
Cc: sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>
Betreff: Re: AW: [sudo-users] sudo 1.9.5p2 ignores NOPASSWD rules

[WARNING – EXTERNAL EMAIL] Do not open links or attachments unless you recognize the sender of this email. If you are unsure please click the button "Report suspicious email"


I haven't been able to reproduce this problem.  This is what I see using a test user:

$ sudo -k id
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)

$ sudo -l
Matching Defaults entries for testdude on xerxes:
    ignore_local_sudoers, listpw=never, syslog=auth, !env_reset, passprompt="%u
    password :", badpass_message="Wrong password :"

User testdude may run the following commands on xerxes:
    (root) NOPASSWD: ALL

$ sudo -ll
Matching Defaults entries for testdude on xerxes:
    ignore_local_sudoers, listpw=never, syslog=auth, !env_reset, passprompt="%u
    password :", badpass_message="Wrong password :"

User testdude may run the following commands on xerxes:

LDAP Role: testdude
    RunAsUsers: root
    Options: !authenticate
    Commands:
        ALL

My LDIF looks like this:

# testdude, sudoers, sudo.ws
dn: cn=testdude,ou=sudoers,dc=sudo,dc=ws
objectClass: top
objectClass: sudoRole
cn: testdude
sudoUser: testdude
sudoRunAs: root
sudoHost: ALL
sudoCommand: ALL
sudoOption: !authenticate

# defaults, sudoers, sudo.ws
dn: cn=defaults,ou=sudoers,dc=sudo,dc=ws
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption: ignore_local_sudoers
sudoOption: listpw=never
sudoOption: syslog=auth
sudoOption: !env_reset
sudoOption: passprompt="%u password :"
sudoOption: badpass_message="Wrong password :"


This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you must not copy this message or attachment or disclose the contents to any other person. If you have received this transmission in error, please notify the sender immediately and delete the message and any attachment from your system. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not accept liability for any omissions or errors in this message which may arise as a result of E-Mail-transmission or for damages resulting from any unauthorized changes of the content of this message and any attachment thereto. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not guarantee that this message is free of viruses and does not accept liability for any damages caused by any virus transmitted therewith.



Click http://www.merckgroup.com/disclaimer  to access the German, French, Spanish and Portuguese versions of this disclaimer.
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws<mailto:sudo-users at sudo.ws>>
For list information, options, or to unsubscribe, visit:
https://www.sudo.ws/mailman/listinfo/sudo-users






This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not the intended recipient, you must not copy this message or attachment or disclose the contents to any other person. If you have received this transmission in error, please notify the sender immediately and delete the message and any attachment from your system. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not accept liability for any omissions or errors in this message which may arise as a result of E-Mail-transmission or for damages resulting from any unauthorized changes of the content of this message and any attachment thereto. Merck KGaA, Darmstadt, Germany and any of its subsidiaries do not guarantee that this message is free of viruses and does not accept liability for any damages caused by any virus transmitted therewith.



Click http://www.merckgroup.com/disclaimer to access the German, French, Spanish and Portuguese versions of this disclaimer.

More information about the sudo-users mailing list