[sudo-workers] sssd user not allowed when fqdn sudoOption defined

Tomas Sykora tosykora at redhat.com
Wed Apr 19 11:30:29 MDT 2017


we found this new issue in sudo:

When a user is defined in sssd and defaults sudoOption fqdn is set,
user is not allowed to run sudo, because it doesn't match the hostname.
It is because some garbage gets in the nss->handle->shost string. 
Then in sudo_sss_check_host() this garbage is compared with hostname
and matching fails.

After short investigation I found that the issue may start in 
the sudo_sss_parse_options() function.

With run_early_defaults() sudo gets to cb_fqdn() function where free(user_runhost)
is called and the value in handle->shost is rewritten or something (I'm not sure
what exactly rewritten it).

Then in the "walk through options again" for cycle I noticed strange strings gets there,
in my case "!authenticate" or just "" is in handle->shost which is probably not
something what should be there.

So I think it has something to do with rewritting user_runhost pointer. So far I didn't
find the exact cause of the problem.


Tomas Sykora
Security Technologies, 
Red Hat Inc.

More information about the sudo-workers mailing list