[Freeipa-users] (no subject)

Pavel Březina pbrezina at redhat.com
Fri Oct 9 11:38:22 UTC 2015 

On 10/09/2015 01:36 PM, Karl Forner wrote:
> Ok, that was it:
> sssd Version: 1.12.5-1~trusty1
>
> I inverted the sudoOrders:
> sudo -l
> Matching Defaults entries for karl on xxxx:
>      env_reset, mail_badpass,
> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
>
> User karl may run the following commands on xxxx:
>      (ALL) NOPASSWD: /usr/bin/less
>      (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
>      (root) NOPASSWD: /bin/chgrp qbstaff *, /bin/chmod g[+-]* *,
> /bin/chmod -R g[+-]* *
>      (ALL) ALL
>      (ALL) ALL
>
>
> and I can use sudo less without password.
>
> Thanks a lot.

Thanks. Please, keep in mind that we changed the default to the correct 
order in sssd 1.13.1. Therefore if you update sssd you will either have 
to invert the order again or set sudo_inverse_order = true in [sudo] in 
/etc/sssd/sssd.conf.

>
>
> On Thu, Oct 8, 2015 at 5:26 PM, Pavel Březina <pbrezina at redhat.com> wrote:
>> On 10/08/2015 04:26 PM, Karl Forner wrote:
>>>
>>> Hi,
>>>
>>>
>>>> you are prompted for password because (ALL) ALL rule is applied because
>>>> of last-match rule. > > > See:
>>>> http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder.
>>>
>>>
>>> Ok. I updated the rules to use a sudoorder attribute of 100 for the
>>> /usr/bin/less sudo rule.
>>> Now, if I type in a terminal:
>>> %sudo -l
>>> Matching Defaults entries for karl on midgard:
>>>       env_reset, mail_badpass,
>>>
>>> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
>>>
>>> User karl may run the following commands on xxxx:
>>>       (ALL) ALL
>>>       (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
>>>       (ALL) ALL
>>>       (ALL) NOPASSWD: /usr/bin/less
>>>
>>> so my less rule is the last one. So far so good.
>>>
>>> %sudo -l less
>>> /usr/bin/less
>>>
>>> but if I type in a new terminal:
>>> %sudo less .bashrc
>>> [sudo] password for karl:
>>>
>>> I am prompted to type in a password.
>>>
>>> So there seems to be a problem, right ?
>>>
>>> Regards,
>>> Karl
>>>
>>
>> Hi,
>> we have a bug in sssd in versions prior 1.13.1:
>> https://fedorahosted.org/sssd/ticket/2682
>>
>> where sudoOrder attribute is treated the other ways around. Please, try
>> inverting the order. What version of sssd do you use?
>>

More information about the Freeipa-users mailing list