[sudo-workers] Re: sudo ldap

Aaron Spangler as at insight.rr.com
Sun Jul 4 20:11:56 EDT 2004 

Chris, Galen, Howard and others,

Please discard the last patch.  It had an off-by-one bug and the debugging 
lines did not show the correct information.  Included is a new patch.  This 
patch has also been committed to CVS for those who use cvs.

Those of you who don't receive this new attachment, let me and I will directly 
send it to you.

 - Aaron

On Wednesday 30 June 2004 11:09 pm, Aaron Spangler wrote:
> Chris, Galen, Howard and others,
>
> Attached is a Sudo patch to try.  Please let me know if it works for you. 
> If it does what you want, I will go ahead and commit it into CVS.
>
> This patch is the "Allow all commands except ..." code for LDAP on sudo.
> The functionality is mostly similar to /etc/sudoers but with one small
> difference.
>
> Discussion Below....
>
> For example in /etc/sudoers
> "root (ALL)=ALL, !/bin/sh" means anything except /bin/sh
> but
> "root (ALL)=!/bin/sh,ALL" means match any command because ALL is last
>
> According to the LDAP RFC, attributes are not guaranteed to be returned in
> any specific order.  Therefor the sudo-ldap code has made allowances for
> "All but /bin/sh" to be specified as:
>
> 	...
> 	sudoCommand: ALL
> 	sudoCommand: !/bin/sh
>
> and equivilently:
>
> 	...
> 	sudoCommand: !/bin/sh
> 	sudoCommand: ALL
>
> Originally the code only looked for ALLOW matches and ignorred DENY
> matches. (meaning that !/bin/sh prevented nothing)
>
> The new LDAP code will allow DENY (!) matches to take precedence of ALLOW
> matches regardless of order.
>
> Clear as Mud?  Let me know if this doesn't make sense.
>
> Please test it and let me know your results and I will put it into CVS.
>
>  -Aaron
>
> On Wednesday 30 June 2004 06:33 am, Chris wrote:
> > Hi Aaron,
> >
> > 	Me again. Sorry for not responding to your previous email, however
> > there wasn't really a problem as such .... however, I found a bit of a
> > problem which I thought you might be able to comment on.
> >
> > It seems from my usage thus far, that sudo-ldap doesn't take into
> > account 'negated' commands when determining if a user can perform the
> > requested command.
> >
> >
> > e.g. if a user has a role which allows them full access to ANY /bin/
> > command....
> > /bin/*
> >
> > but the role doesn't want them to be able to run /bin/shutdown (for
> > example)
> > !/bin/shutdown
> >
> > the sudoldap binary determines that the user _can_ perform /bin/shutdown
> > because it finds the /bin/* match above and does not take into account
> > the negated /bin/shutdown.
> >
> >
> > Im pretty sure that the normal sudo binary allows the example above...
> > any ideas Aaron?
> >
> > any help/thoughts would be appreciated.
> >
> > again, love your work :)
> >
> >
> > Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: patch2
Type: text/x-diff
Size: 2647 bytes
Desc: not available
URL: </pipermail/sudo-workers/attachments/20040704/cde28438/attachment.bin>

More information about the sudo-workers mailing list