[Freeipa-devel] Sudo Schema Bug

JR Aquino JR.Aquino at citrixonline.com
Thu Sep 30 14:08:52 UTC 2010 

Todd was able to confirm this for me...

On Sep 29, 2010, at 9:06 PM, Dmitri Pal wrote:
I was aware of this writeup however I did not read it as there is a
problem when there are multiple rules with negation. It actually nowhere
says how SUDO handles multiple rules if they are mutually exclusive.
Even in the current schema there is a problem when you have two rules
and they contradict each other according to RFC this is a valid
situation and thus should be handled correctly by SUDO. Do not take me
wrong, I am willing to adjust the schema but if the SUDO utility can't
handle contradicting rules even with the existing schema this is a very
serious bug that we either should fix in SUDO or have a workaround. If
you are right above that it does not look at other rules before making a
decision and makes just based on one rule we can add the attribute(s) as
you or I suggested but this generally limits the flexibility of the
solution.

Does anyone have experience with this behavior and can confirm the
limitation?

Thanks
Dmitri

On Sep 30, 2010, at 6:28 AM, Todd C. Miller wrote:

In message <2EF9F6D2-2A9F-4466-A205-907ACFA520C9 at citrixonline.com<mailto:2EF9F6D2-2A9F-4466-A205-907ACFA520C9 at citrixonline.com>>
so spake JR Aquino (JR.Aquino):

Todd, if you have a moment, could you weigh in on this?

We are trying to clarify as to whether Sudo is a first match and stop, or if
it will search the whole directory for rules that match and then make a calcu
lated decision.

When using /etc/sudoers, sudo will use the last match.

When using LDAP, sudo will stop on the first matching entry, though
it will prefer a negative match within that entry.  It would probably
be better to evaluate all returned entries instead of stopping at
the first match.

I've considered adding a weight or ordering attribute to the entries
to make it possible to emulate the last match behavior but I'm not
sure that is worth doing.  A future version of sudo may choose the
most exact match instead, which seems safer.

- todd

More information about the Freeipa-devel mailing list