[sudo-workers] Re: [sudo-users] Less security with sudo+ldap?

Aaron Spangler aaron777 at gmail.com
Wed Oct 5 22:37:18 EDT 2005 

Currently the ldap code does not share any code from the /etc/sudoers
parsing code. Maybe we should change that?

We could change the syntax structure, maybe we could allow an alternate
runas syntax on the sudoCommand option? It would make the code more
complicated, if there is a need for it then maybe we should take a look at
it. Maybe something like this:

sudoCommand: (root) /usr/local/etc/script1.sh

If that is the case we should also allow for a few permutations such as

sudoOption: authenticate
sudoCommand: !/bin/sh
sudoCommand: ALL
sudoCommand: NOPASSWD: /bin/mount
sudoCommand: (mysql) /usr/sbin/mysqld
sudoCommand: (mysql) NOPASSWD: /usr/bin/mysqldump

I believe there are other permutations, but might get confusing so I would
want to explore them all first. For example, what should this mean? Does it
mean if the user asks for any other user than web, the command is allowed,
or does it mean that the user can run any application as web except df?
sudoCommand: (web) NOEXEC: !/usr/bin/df

In any case, I want everyone to think it through so that we are all making
the best decision.

So, everyone let us hear your viewpoints. Lets get some ideas.

- Aaron


On 10/5/05, Glenn Pitcher <Glenn.Pitcher at medimpact.com> wrote:
>
> Sure, I could split it into multiple roles but it would become
> unmanageable. My site has well over 100 servers with hundreds of users and
> as it is I have 60 some odd unix groups I'm maintaining - all of which are
> used in sudo. So if I have to start breaking things down further and add
> people to more groups... well, that just isn't an option.
>
>  -----Original Message-----
> *From:* Aaron Spangler [mailto:aaron777 at gmail.com]
> *Sent:* Wednesday, October 05, 2005 11:44 AM
> *To:* Glenn Pitcher
> *Subject:* Re: [sudo-users] Less security with sudo+ldap?
>
> Split it into two roles. It will work.
>
> On 10/5/05, Glenn Pitcher <Glenn.Pitcher at medimpact.com> wrote:
> >
> > I'm having some problems trying to figure out how to get the same level
> > of
> > security with sudo+ldap that we currently enjoy by using a local sudoers
> >
> > file.
> >
> > Take for instance the following example:
> >
> > %ldapgroup ALL=(nobody) NOPASSWD:ALL
> > %ldapgroup ALL=(webservd) NOPASSWD:ALL
> > %ldapgroup ALL=(root) NOPASSWD:/usr/local/etc/script1.sh,
> > /usr/local/etc/script2.sh
> >
> > If I put this into LDAP, you get:
> >
> > dn: cn=%ldapgroup,dc=sudoers,dc=domain,dc=com
> > objectClass: top
> > objectClass: sudoRole
> > cn: %ldapgroup
> > sudoUser: %ldapgroup
> > sudoRunAs: nobody
> > sudoRunAs: webservd
> > sudoRunAs: root
> > sudoCommand: ALL
> > sudoCommand: /usr/local/etc/script1.sh
> > sudoCommand: /usr/local/etc/script2.sh
> > sudoHost: ALL
> > sudoOption: !authenticate
> >
> > Now, if a user does a 'sudo -l', they'll get back:
> >
> > --------------
> > User <username> may run the following commands on this host:
> > (nobody) NOPASSWD: ALL
> > (webservd) NOPASSWD: ALL
> > (root) NOPASSWD: /usr/local/etc/script1.sh
> > (root) NOPASSWD: /usr/local/etc/script2.sh
> >
> > LDAP Role: %ldapgroup
> > RunAs: (nobody, webservd, root)
> > Commands:
> > ALL
> > /usr/local/etc/script1.sh
> > /usr/local/etc/script2.sh
> > ---------------
> >
> > As you can see, the LDAP solution provides for less security than what
> > was
> > specified in the local sudoers file. For example, in the local sudoers
> > file, the user could only run 2 scripts as root. With LDAP, they can do
> > anything as root. Is there anyway of tightening this down further?
> >
> >
> >
> > Glenn Pitcher
> > IT Security
> > MedImpact Healthcare Systems
> > San Diego, CA
> > 858-790-7479
> > glenn.pitcher @ medimpact.com <http://medimpact.com>
> >
> >
> > ------------------------------------------------------------------------------
> >
> > This transmission, together with any attachments, is intended only for
> > the use of those to whom it is addressed and may contain information that is
> > privileged, confidential, and exempt from disclosure under applicable law.
> > If you are not the intended recipient, you are hereby notified that any
> > distribution or copying of this transmission is strictly prohibited. If you
> > received this transmission in error, please notify the original sender
> > immediately and delete this message, along with any attachments, from your
> > computer.
> >
> > ==============================================================================
> > ____________________________________________________________
> > sudo-users mailing list <sudo-users at sudo.ws >
> > For list information, options, or to unsubscribe, visit:
> > http://www.sudo.ws/mailman/listinfo/sudo-users
> >
>
>
> ------------------------------------------------------------------------------
> This transmission, together with any attachments, is intended only for the
> use of those to whom it is addressed and may contain information that is
> privileged, confidential, and exempt from disclosure under applicable law.
> If you are not the intended recipient, you are hereby notified that any
> distribution or copying of this transmission is strictly prohibited. If you
> received this transmission in error, please notify the original sender
> immediately and delete this message, along with any attachments, from your
> computer.
>
> ==============================================================================
>

More information about the sudo-workers mailing list