[sudo-workers] sudo ipa_hostname not honored

Radovan Sroka rsroka at redhat.com
Thu Aug 15 12:15:16 MDT 2019 

Hi Todd,

I think that ipa_hostname from /etc/sssd/sssd.conf is not propagated in
sudo.
If I remember correctly ipa_hostname should be a way for freeIPA(via SSSD)
to force hostname to be fully qualified because IPA uses sudo rules
hostnames as fully qualified.

"ipa_shost" and "ipa_host" variables are set correctly via
get_ipa_hostname() and they are used once in "sudo_sss_check_user()" but
they are not propagated for host{name}_matches functions...

logs from sudo-1.8.25
Aug 15 13:21:47 sudo[6227] ipa_hostname
ci-vm-10-0-136-170.hosted.upshift.rdu2.redhat.com overrides
ci-vm-10-0-136-170
Aug 15 13:21:47 sudo[6227] <- get_ipa_hostname @ ./sssd.c:158 := 1
....
Aug 15 13:21:47 sudo[6227] -> sss_to_sudoers @ ./sssd.c:243
Aug 15 13:21:47 sudo[6227] -> sudo_sss_check_user @ ./sssd.c:174
Aug 15 13:21:47 sudo[6227] val[0]=#1978000004
Aug 15 13:21:47 sudo[6227] -> userpw_matches @ ./match.c:1027
Aug 15 13:21:47 sudo[6227] -> sudo_strtoid_v1 @ ./strtoid.c:105
Aug 15 13:21:47 sudo[6227] <- sudo_strtoid_v1 @ ./strtoid.c:169 :=
1978000004
Aug 15 13:21:47 sudo[6227] user tuser5 matches sudoers user #1978000004:
true @ userpw_matches() ./match.c:1043
Aug 15 13:21:47 sudo[6227] <- userpw_matches @ ./match.c:1044 := true
...
Aug 15 13:21:47 sudo[6227] -> hostlist_matches_int @ ./match.c:286
Aug 15 13:21:47 sudo[6227] -> host_matches @ ./match.c:317
Aug 15 13:21:47 sudo[6227] -> hostname_matches @ ./match.c:1003
Aug 15 13:21:47 sudo[6227] host ci-vm-10-0-136-170 matches sudoers pattern
ci-vm-10-0-136-170.hosted.upshift.rdu2.redhat.com: false @
hostname_matches() ./match.c:1013
Aug 15 13:21:47 sudo[6227] <- hostname_matches @ ./match.c:1014 := false
Aug 15 13:21:47 sudo[6227] <- host_matches @ ./match.c:349 := -1
Aug 15 13:21:47 sudo[6227] <- hostlist_matches_int @ ./match.c:293 := -1
-------------------------------------------------------------------------------------------------------------------------------------------
/etc/sssd/sssd.conf contains:
...
ipa_hostname = ci-vm-10-0-136-170.hosted.upshift.rdu2.redhat.com
...

This worked in sudo-1.8.23 because there were "sudo_sss_check_host()" that
honored ipa_hostname.


-- 
--
---------------------------------------------------------

Radovan Sroka
Software Engineer | Security Technologies | Red Hat, Inc.

More information about the sudo-workers mailing list