[sudo-workers] sudo -l problem
Radovan Sroka
rsroka at redhat.com
Tue Nov 14 14:10:14 MST 2017
Hi Todd,
I have found a problem with SSSD and probably LDAP backend (haven't tried).
When using sudo -l sudo checks only the first rule whether user has to be
authenticated.
e.g.:
[beat at idmc ~]$ sudo -k; sudo -l
[sudo] password for beat:
...
User beat may run the following commands on idmc:
(ALL : ALL) /bin/ls
(ALL : ALL) NOPASSWD: /usr/bin/id
User shouldn't be authenticated when listpw is "any" by default.
[beat at idmc ~]$ sudo -k; sudo -l
User beat may run the following commands on idmc:
(ALL : ALL) NOPASSWD: /usr/bin/id
(ALL : ALL) /bin/ls
This situation when user is not authenticated.
I have created patch for sssd.c but for ldap.c should be more less the same.
diff -up ./plugins/sudoers/sssd.c.break ./plugins/sudoers/sssd.c
--- ./plugins/sudoers/sssd.c.break 2017-11-14 20:35:47.353989596 +0100
+++ ./plugins/sudoers/sssd.c 2017-11-14 21:43:56.074968902 +0100
@@ -1320,7 +1320,7 @@ sudo_sss_lookup(struct sudo_nss *nss, in
user_uid == list_pw->pw_uid ||
sudo_sss_check_command(handle, rule, NULL) == true) {
matched = true;
- break;
+ //break;
}
}
}
@@ -1335,6 +1335,8 @@ sudo_sss_lookup(struct sudo_nss *nss, in
case any:
if (doauth == false)
SET(ret, FLAG_NOPASSWD);
+ else
+ CLR(ret, FLAG_NOPASSWD); // ensure that
there will be an authentication
break;
default:
break;
--
--
---------------------------------------------------------
Radovan Sroka
Associate Software Engineer | Security Technologies | Red hat, Inc.
More information about the sudo-workers
mailing list