[Freeipa-users] sudo questions

Sigbjorn Lie sigbjorn at nixtra.com
Tue Oct 9 14:15:02 UTC 2012 

On 10/09/2012 04:08 PM, Rob Crittenden wrote:
> Sigbjorn Lie wrote:
>>
>>
>>
>> On Tue, October 9, 2012 01:13, Dmitri Pal wrote:
>>> On 10/08/2012 06:04 PM, Sigbjorn Lie wrote:
>>>
>>>> Hi,
>>>>
>>>
>>>
>>> Thank you for the report!
>>>
>>>
>>>>
>>>> I've been testing the sudo integration with IPA and I came across some
>>>> questions:
>>>>
>>>>
>>>> 1. When I disable or delete a sudo rule, it's not removed from the
>>>> ou=sudoers until I restart the directory server. Am I doing 
>>>> something wrong?
>>>> (389-ds-base-1.2.10.2-20.el6_3.x86_64, slapi-nis-0.40-1.el6.x86_64)
>>>>
>>>>
>>>
>>> This might be a bug in the compat plugin. The internal tree is 
>>> reflected
>>> into the standard sudo schema that is supposed to be kept in sync 
>>> with the internal tree. However I
>>> would be surprised if there is actually a bug.
>>>
>>
>> I definitely still saw the rules in ou=sudoers even though I disabled 
>> or deleted the rules.
>> However the cn=sudo tree was instantly updated.
>>
>> Could someone else test and see if they see the same behaviour?
>>
>>
>>>> 2. Perhaps the documentation should mention creating a rule called
>>>> "defaults" to put default options for all sudo rules in. Or even
>>>> better having one created by default with a fresh IPA installation. 
>>>> It took me a few seconds to
>>>> figure out where to put default options for all sudo rules.
>>>
>>> Can you please open an RFE in trac?
>>> https://fedorahosted.org/freeipa
>>>
>>
>> Ok.
>>
>>
>>>
>>>
>>>>
>>>> 3. sudo integration with SSSD does not work when anonymous LDAP
>>>> authentication is disabled at the server. Enabling verbose logging 
>>>> in SSSD seem to suggest that
>>>> it's attempting  anonymous auth only. (sssd-1.8.4-14.fc17.x86_64)
>>>>
>>>
>>> Which integration you are trying? The one that was tech preview in 1.8?
>>> The one that makes SSSD cache sudo rules? It was significantly 
>>> rewritten
>>> in 1.9. Can you please try with 1.9?
>>>
>>
>> This was F17. There is F17 packages for 1.9 somewhere? Will 1.9 be in 
>> the next update of RHEL 6?
>>
>>>
>>>>
>>>> 4. Having spaces in sudo options (such as "env_keep = 'ENV_VAR'") make
>>>> sudo display these options as errors when sudo debugging is enabled 
>>>> (sudoers_debug 1 in
>>>> /etc/ldap.conf or /etc/sudo-ldap.conf):
>>>> sudo: unknown defaults entry `env_keep '
>>>>
>>>
>>> Yes. This is a known issue already filed as a ticket.
>>>
>>
>> OK
>>
>>>
>>>>
>>>> 5. It would be great to have a set of sudo commands and a set of sudo
>>>> command groups installed by default.
>>>
>>> Can you make a proposal about what groups would you like to see in 
>>> an RFE?
>>> https://fedorahosted.org/freeipa
>>>
>>
>> Sure. I do believe in having only 1 sudoers source, either a file or 
>> ldap. So I I believe the
>> contents of the file /etc/sudoers distributed with the sudoers 
>> package is a good starting point.
>>
>>
>>
>>
>>>
>>>
>>>>
>>>> 6. Adding a sudo command having multiple commands listed (such as:
>>>> "/sbin/route, /sbin/ifconfig, /bin/ping
>>>> <https://lieipa01.ix.nixtra.com/ipa/ui/#/sbin/route,%20/sbin/ifconfig,%20/bin/ping,%20/sbin/dhcl 
>>>>
>>>> ient,%20/usr/bin/net,%20/sbin/iptables,%20/usr/bin/%20rfcomm,%20/usr/bin/wvdial,%20/sbin/iwconf 
>>>>
>>>> ig,%20/sbin/mii-tool>") is allowed in IPA and does list it 
>>>> correctly as allowed commands when
>>>> doing "sudo -l", however attempting to execute one of the commands 
>>>> in the list using sudo fails.
>>>>
>>>>
>>>
>>> Can you please try SSSD 1.9?
>>
>> Sure, but I'm not sure how that is going to matter as this is sudo 
>> returning an error. How is it
>> expected to be different when the information is coming from a 
>> different source?
>>
>> I believe we have to do the LDAP way and not the SSSD way in 
>> production though as we have clients
>> such as older RHEL and Solaris as well besides RHEL 6. So this should 
>> be fixed regardsless of
>> where the sudo source is coming from. And I believe we are not alone 
>> here in having a mixed
>> environment... :)
>
> Your command is allowing a user to pass the arguments /sbin/ifconfig, 
> /bin/ping to /sbin/iparoute, (note the commas). A sudo command is a 
> single invocation of a command.
>
> rob
>
I am well aware of that. :)

However that is an allowed syntax in file based sudoers.

I believe there should be a syntax checking in IPA when adding sudo 
commands since it's not working with ldap based sudoers.


Regards,
Siggi

More information about the Freeipa-users mailing list