[Freeipa-users] (no subject)
Karl Forner
karl.forner at gmail.com
Fri Oct 9 11:36:06 UTC 2015
Ok, that was it:
sssd Version: 1.12.5-1~trusty1
I inverted the sudoOrders:
sudo -l
Matching Defaults entries for karl on xxxx:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User karl may run the following commands on xxxx:
(ALL) NOPASSWD: /usr/bin/less
(root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
(root) NOPASSWD: /bin/chgrp qbstaff *, /bin/chmod g[+-]* *,
/bin/chmod -R g[+-]* *
(ALL) ALL
(ALL) ALL
and I can use sudo less without password.
Thanks a lot.
On Thu, Oct 8, 2015 at 5:26 PM, Pavel Březina <pbrezina at redhat.com> wrote:
> On 10/08/2015 04:26 PM, Karl Forner wrote:
>>
>> Hi,
>>
>>
>>> you are prompted for password because (ALL) ALL rule is applied because
>>> of last-match rule. > > > See:
>>> http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder.
>>
>>
>> Ok. I updated the rules to use a sudoorder attribute of 100 for the
>> /usr/bin/less sudo rule.
>> Now, if I type in a terminal:
>> %sudo -l
>> Matching Defaults entries for karl on midgard:
>> env_reset, mail_badpass,
>>
>> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
>>
>> User karl may run the following commands on xxxx:
>> (ALL) ALL
>> (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
>> (ALL) ALL
>> (ALL) NOPASSWD: /usr/bin/less
>>
>> so my less rule is the last one. So far so good.
>>
>> %sudo -l less
>> /usr/bin/less
>>
>> but if I type in a new terminal:
>> %sudo less .bashrc
>> [sudo] password for karl:
>>
>> I am prompted to type in a password.
>>
>> So there seems to be a problem, right ?
>>
>> Regards,
>> Karl
>>
>
> Hi,
> we have a bug in sssd in versions prior 1.13.1:
> https://fedorahosted.org/sssd/ticket/2682
>
> where sudoOrder attribute is treated the other ways around. Please, try
> inverting the order. What version of sssd do you use?
>
More information about the Freeipa-users
mailing list