[sudo-workers] Supporting sudoUser:!foo in sudo.ldap

Simon Lees sflees at suse.de
Sun Dec 12 21:25:56 MST 2021 

Hi All,

Currently our usual sudo maintainers are busy on other projects so i've
been tasked with looking at the following feature request from a
customer, ideally we would like to upstream whatever we do so I thought
i'd discuss it here now that I have a decent idea of the issue and a
possible solution.

From man sudo.ldap

Another difference is that it is not possible to use negation in a
sudoUser, sudoRunAsUser or sudoRunAsGroup attribute.  For example, the
following attributes do not behave

    the way one might expect.

         # does not match all but joe
         # rather, does not match anyone
         sudoUser: !joe

         # does not match all but joe
         # rather, matches everyone including Joe
         sudoUser: ALL
         sudoUser: !joe

We have customers that are after a way to do this (otherwise I probably
wouldn't be looking at it). Our in house ldap expert suggested that
introducing a global !joe option could potentially have some unintended
consequences but that implementing the second should be possible by
changing a query from

(&
    (|
        (sudoUser=NAME)
        (sudoUser=ALL)
        (sudoUser=%GROUP_NAME)
    )
)

to

(&
    (|
        (sudoUser=NAME)
        (sudoUser=ALL)
        (sudoUser=%GROUP_NAME)
    )
    (!
        (sudoUser=!NAME)
    )
)


I have a patch inline below that we have used to successfully test this
theory, which leaves us with the question of has this never been
implemented due to people not requesting it or due to other potential
issues that we have overlooked and secondly would this feature be
something that you are intestested in as an upstream.

This is our proof of concept patch, if the idea is suitable for upstream
then please let me know if there is a better place for me to submit it.

Thanks

Simon

Index: sudo-1.9.5p2/plugins/sudoers/ldap.c
===================================================================
--- sudo-1.9.5p2.orig/plugins/sudoers/ldap.c
+++ sudo-1.9.5p2/plugins/sudoers/ldap.c
@@ -986,6 +986,9 @@ sudo_ldap_build_pass1(LDAP *ld, struct p
     /* If timed, add space for time limits. */
     if (ldap_conf.timed)
 	sz += TIMEFILTER_LENGTH;
+
+     /* Add space for ALL, !USER */
+     sz += 15 + sudo_ldap_value_len(pw->pw_name);
     if ((buf = malloc(sz)) == NULL)
 	goto bad;
     *buf = '\0';
@@ -1074,6 +1077,13 @@ sudo_ldap_build_pass1(LDAP *ld, struct p
     } else if (ldap_conf.search_filter) {
 	CHECK_STRLCAT(buf, ")", sz); /* closes the global OR */
     }
+
+    /* To support ALL, !USER now add a !check for sudoUser=!NAME */
+    /* Global ! + sudoUser=!user_name filter */
+    CHECK_STRLCAT(buf, "(!(sudoUser=!", sz);
+    CHECK_LDAP_VCAT(buf, pw->pw_name, sz);
+    CHECK_STRLCAT(buf, "))", sz);
+
     CHECK_STRLCAT(buf, ")", sz); /* closes the global OR or the global
AND */

     debug_return_str(buf);



-- 
Simon Lees (Simotek)                            http://simotek.net

Emergency Update Team                           keybase.io/simotek
SUSE Linux                           Adelaide Australia, UTC+10:30
GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://www.sudo.ws/pipermail/sudo-workers/attachments/20211213/994ea7dd/attachment.bin>

More information about the sudo-workers mailing list