[sudo-workers] Re: sudo ldap

Jacob Pszonowsky jdp16 at mac.com
Wed Jul 7 14:36:21 EDT 2004 

Aaron -

Great work! Exactly the functionality I was looking for. Tested on 
Solaris 9 (Sparc with native ldap libraries) this morning and 
everything works great.

Thanks,
Jake

Catch me @ http://findjake.com


On Jul 4, 2004, at 5:11 PM, Aaron Spangler wrote:

> Chris, Galen, Howard and others,
>
> Please discard the last patch.  It had an off-by-one bug and the 
> debugging
> lines did not show the correct information.  Included is a new patch.  
> This
> patch has also been committed to CVS for those who use cvs.
>
> Those of you who don't receive this new attachment, let me and I will 
> directly
> send it to you.
>
>  - Aaron
>
> On Wednesday 30 June 2004 11:09 pm, Aaron Spangler wrote:
>> Chris, Galen, Howard and others,
>>
>> Attached is a Sudo patch to try.  Please let me know if it works for 
>> you.
>> If it does what you want, I will go ahead and commit it into CVS.
>>
>> This patch is the "Allow all commands except ..." code for LDAP on 
>> sudo.
>> The functionality is mostly similar to /etc/sudoers but with one small
>> difference.
>>
>> Discussion Below....
>>
>> For example in /etc/sudoers
>> "root (ALL)=ALL, !/bin/sh" means anything except /bin/sh
>> but
>> "root (ALL)=!/bin/sh,ALL" means match any command because ALL is last
>>
>> According to the LDAP RFC, attributes are not guaranteed to be 
>> returned in
>> any specific order.  Therefor the sudo-ldap code has made allowances 
>> for
>> "All but /bin/sh" to be specified as:
>>
>> 	...
>> 	sudoCommand: ALL
>> 	sudoCommand: !/bin/sh
>>
>> and equivilently:
>>
>> 	...
>> 	sudoCommand: !/bin/sh
>> 	sudoCommand: ALL
>>
>> Originally the code only looked for ALLOW matches and ignorred DENY
>> matches. (meaning that !/bin/sh prevented nothing)
>>
>> The new LDAP code will allow DENY (!) matches to take precedence of 
>> ALLOW
>> matches regardless of order.
>>
>> Clear as Mud?  Let me know if this doesn't make sense.
>>
>> Please test it and let me know your results and I will put it into 
>> CVS.
>>
>>  -Aaron
>>
>> On Wednesday 30 June 2004 06:33 am, Chris wrote:
>>> Hi Aaron,
>>>
>>> 	Me again. Sorry for not responding to your previous email, however
>>> there wasn't really a problem as such .... however, I found a bit of 
>>> a
>>> problem which I thought you might be able to comment on.
>>>
>>> It seems from my usage thus far, that sudo-ldap doesn't take into
>>> account 'negated' commands when determining if a user can perform the
>>> requested command.
>>>
>>>
>>> e.g. if a user has a role which allows them full access to ANY /bin/
>>> command....
>>> /bin/*
>>>
>>> but the role doesn't want them to be able to run /bin/shutdown (for
>>> example)
>>> !/bin/shutdown
>>>
>>> the sudoldap binary determines that the user _can_ perform 
>>> /bin/shutdown
>>> because it finds the /bin/* match above and does not take into 
>>> account
>>> the negated /bin/shutdown.
>>>
>>>
>>> Im pretty sure that the normal sudo binary allows the example 
>>> above...
>>> any ideas Aaron?
>>>
>>> any help/thoughts would be appreciated.
>>>
>>> again, love your work :)
>>>
>>>
>>> Chris.
> <patch2>____________________________________________________________
> sudo-workers mailing list <sudo-workers at gratisoft.us>
> For list information, options, or to unsubscribe, visit:
> http://www.gratisoft.us/mailman/listinfo/sudo-workers



Jacob Pszonowsky

jdp16 at mac.com
(c) 415.225.2647
(f) 415.358.5918

More information about the sudo-workers mailing list