[sudo-workers] Empty SUDOERS_SEARCH_FILTER bug

Daniel Kopeček dkopecek at redhat.com
Thu Aug 31 06:18:09 MDT 2017


On 08/31/2017 02:05 PM, Todd C. Miller wrote:

> It works fine for me with sudo 1.8.21, what version of sudo are you
> testing?
>
> $ grep search_filter /etc/ldap.conf
> # sudoers_search_filter sudoOrder=5
> sudoers_search_filter
>
> Results in queries like:
>
> sudo: ldap search '(&(|(sudoUser=millert)(sudoUser=%staff)(sudoUser=%#20)(sudoUser=ALL))(&(|(!(sudoNotAfter=*))(sudoNotAfter>=20170831115629.0Z))(|(!(sudoNotBefore=*))(sudoNotBefore<=20170831115629.0Z))))'
>
> sudo: ldap search '(&(|(sudoUser=+*)(sudoUser=%:*))(&(|(!(sudoNotAfter=*))(sudoNotAfter>=20170831115629.0Z))(|(!(sudoNotBefore=*))(sudoNotBefore<=20170831115629.0Z))))'
>
> This was probably fixed by https://www.sudo.ws/repos/sudo/rev/54856973af41
> Specifically, the hunk that changes how an empty CONF_STR is stored.

sudo: Looking for cn=defaults: cn=defaults
sudo: no default options found in ou=SUDOers,dc=localhost,dc=localdomain
sudo: ldap search 
'(|(sudoUser=root)(sudoUser=%root)(sudoUser=%#0)(sudoUser=ALL))'
sudo: searching from base 'ou=SUDOers,dc=localhost,dc=localdomain'
sudo: ldap search pass 1 failed: No such object
sudo: ldap search '(sudoUser=*)(sudoUser=+*)'
sudo: searching from base 'ou=SUDOers,dc=localhost,dc=localdomain'
sudo: ldap search pass 2 failed: Bad search filter
sudo: searching LDAP for sudoers entries
sudo: done with LDAP searches

This is with sudo-1.8.20p2 from Fedora 26 (I'm testing with an empty 
ldap db here, but that shouldn't affect the second "Bad search filter" 
result).

ldap.conf contents:

# cat /etc/ldap.conf
URI ldap://127.0.0.1
SUDOERS_BASE ou=SUDOers,dc=localhost,dc=localdomain
SUDOERS_DEBUG 2
SUDOERS_SEARCH_FILTER
#


More information about the sudo-workers mailing list