[sudo-workers] sudoRunAsUser option not behaving properly
Lenka Doudova
ldoudova at redhat.com
Tue Nov 1 07:54:07 MDT 2016
Hi,
I was pointed to discussion regarding sudo RunAsUser/RunAsGroup problems
[1] and have a question about inproperly handled RunAsUsers as mentioned
in the discussion. I'm working on FreeIPA where I have: user testuser,
group testgroup, sudorule testrule with RunAsUser empty and
RunAsGroup=testgroup. When I want to see list of commands user testuser
can run, I get:
# su -c "sudo -ll -n" testuser
Matching Defaults entries for testuser on <hostname>:
!visiblepw, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !authenticate
User testuser may run the following commands on <hostname>:
SSSD Role: testrule
RunAsUsers: testuser
RunAsGroups: testgroup
Options: !authenticate
Commands:
ALL
I'm afraid that the RunAsUsers=testuser is a bug and result should be
RunAsUsers=root (i.e. default, which was not changed), but I need a
confirmation on that this issue is a bug indeed and not a change in
behaviour.
The problem first occured with sudo-1.8.18-1, then I tried installing
and running it with sudo-1.8.18-rc4 where some issues with RunAsUsers
were said to be fixed, but this issue persisted.
Thanks,
Lenka
[1] https://www.sudo.ws/pipermail/sudo-workers/2016-September/001014.html
More information about the sudo-workers
mailing list