[sudo-workers] sudo LDAP and order of matches
afm at othello.ch
Wed Oct 6 12:03:01 EDT 2010
/etc/sudoers based sudo matches entries in order, and usually uses
the last entry that matched. LDAP based sudo matches entries in the
order they are sent from the LDAP server, and stops scanning for more
entries when a matching entry is found. Thus LDAP sudo uses the
"first" matching entry.
This causes two problems:
1. If the order in which the entries are delivered changes, the
matching entry may change (this can e.g. happen when switching to
a backup LDAP replica). In most cases this will not be a problem,
but with the !authenticate option, we may run into a problem.
If a script relies on a command to be executable as root without
authentication, a modified order of the entries may cause the
script to fail, because a different entry may allow the command,
but only after authentication, which the script cannot provide.
This can only be prevented if all sudoRole entries
are formulated in a way that the don't overlap.
2. It is sometimes difficult or even unfeasible to maintain
As far as I can tell, only the authenticate option causes behaviour
so radically different when the entry order changes (script works
or does no work) that there should be a fix. Since there is
no such concept as order of entries in LDAP, one would need to
impose a certain order. One possible solution would be to use 4
instead of 2 passes:
a) check entries for user, groups or ALL that would access to a
command without authentication (makes scripts work)
b) check netgroups that would allow access without authentication
c) check other entries for user, groups or ALL
d) check all other netgroups
I'm currently hacking on ldap.c and would like to hear your opinion
on global options tentatively called "prefer-authenticated" resp.
"prefer-unauthenticated" that would allow to specify such a
Prof. Dr. Andreas Mueller
andreas.mueller at othello.ch
Bubental 53, 8852 Altendorf
Voice: +41 55 4621481 Fax/Data: +41 55 4621482
More information about the sudo-workers