[sudo-workers] sudo+ldap and ldap.conf
Andrea Barisani
lcars at gentoo.org
Tue Jun 14 14:13:46 EDT 2005
On Tue, Jun 14, 2005 at 11:09:53AM -0700, Aaron Spangler wrote:
> There are several options:
>
> Option 1:
> On systems with nscd (such as Linux & Solaris), NSCD starts up as root
> on boot, so you can chmod 600 /etc/ldap.conf and even non-root
> processes will be able to query Name service information (via libc->
> getXXbyYY -> nscd (root out of process) -> nss_ldap). Also pam_ldap
> is usually called as root anyway via daemon processes. So you can
> have a perfectly happy system that uses the built in nscd api to get
> the name service information.
Honestly this is *really* ugly, and nscd is not always used due to security
concerns. Also nscd is a caching system, I'm not sure that what you are
proposing would work.
> The only drawback is that if nscd dies the system will have problems.
> I have seen many solaris systems that run for months without reboot
> using nscd exclusively. Another *slight* drawback is that nscd
> typically provides information for three types of entries, user,
> group, and host. If you are using netgroups via ldap, then you might
> need to do the split file approach.
Yes...as I said it's fugly imho ;)
>
> Option 2:
> If you are not using nss_ldap (but only using pam_ldap) you can still
> have the file 600 since pam generally requires all authentications be
> done by root (to access /etc/shadow or equivilent for example). We
> have one very large client with about 650 systems running like this.
True, but as I said we are using nss_ldap as well and that's likely to be the
case.
>
> Option 3:
> Use the split file approach you already documented earlier via the
> -DLDAP_CONFIG option.
Yes that was my workaround and indeed it is documented in README.LDAP but I
think you should stress more about this problem security_wise, simply showing
that you can redefine the conf doesn't show the security aspect of this issue.
Also don't you think that making sudo+ldap rootdn aware could be a good
option? (/etc/ldap.secret mode 600)
Cheers
>
> I hope this information helps.
>
> -Aaron
>
>
> On 6/14/05, Andrea Barisani <lcars at gentoo.org> wrote:
> >
> > Hi,
> >
> > quoting README.LDAP: "The /etc/ldap.conf file is meant to be shared between
> > sudo, pam_ldap, nss_ldap", that's fine in theory but it also means that every
> > local user is able to see the ldap'ized /etc/sudoers settings while normally
> > /etc/sudoers is not readable by the user.
> >
> > Having ldap.conf not readable is not an option when it's used with pam_ldap
> > and especially nss_ldap. So probably the only way to make sudo ldap settings
> > not readable by users is pointing it to a different ldap.conf (ldap.conf-sudo
> > with a specific binddn and bindpw) changing -DLDAP_CONFIG.
> >
> > Do you agree that this actually decreases security and that it should be
> > handled differently or at least specified in the docs (maybe pointing the
> > ldap.conf-sudo hack) ?
> >
> > Of course feel free to slap me on the face if I'm totally missing something
> > and there is a way to do what I'm seeking ;).
> >
> > Cheers
> >
> > P.S.
> > thx for adding ldap to sudo! it was the last missing bit for having a
> > complete ldap'ized system.
> >
> > --
> > Andrea Barisani <lcars at gentoo.org> .*.
> > Gentoo Linux Infrastructure Developer V
> > ( )
> > GPG-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc ( )
> > 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E ^^_^^
> > "Pluralitas non est ponenda sine necessitate"
> > ____________________________________________________________
> > sudo-workers mailing list <sudo-workers at sudo.ws>
> > For list information, options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-workers
> >
>
--
Andrea Barisani <lcars at gentoo.org> .*.
Gentoo Linux Infrastructure Developer V
( )
GPG-Key 0x864C9B9E http://dev.gentoo.org/~lcars/pubkey.asc ( )
0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E ^^_^^
"Pluralitas non est ponenda sine necessitate"
More information about the sudo-workers
mailing list