[Freeipa-users] sudo questions

Tue Oct 9 14:08:48 UTC 2012

Sigbjorn Lie wrote:
>
>
>
> On Tue, October 9, 2012 01:13, Dmitri Pal wrote:
>> On 10/08/2012 06:04 PM, Sigbjorn Lie wrote:
>>
>>> Hi,
>>>
>>
>>
>> Thank you for the report!
>>
>>
>>>
>>> I've been testing the sudo integration with IPA and I came across some
>>> questions:
>>>
>>>
>>> 1. When I disable or delete a sudo rule, it's not removed from the
>>> ou=sudoers until I restart the directory server. Am I doing something wrong?
>>> (389-ds-base-1.2.10.2-20.el6_3.x86_64, slapi-nis-0.40-1.el6.x86_64)
>>>
>>>
>>
>> This might be a bug in the compat plugin. The internal tree is reflected
>> into the standard sudo schema that is supposed to be kept in sync with the internal tree. However I
>> would be surprised if there is actually a bug.
>>
>
> I definitely still saw the rules in ou=sudoers even though I disabled or deleted the rules.
> However the cn=sudo tree was instantly updated.
>
> Could someone else test and see if they see the same behaviour?
>
>
>>> 2. Perhaps the documentation should mention creating a rule called
>>> "defaults" to put default options for all sudo rules in. Or even
>>> better having one created by default with a fresh IPA installation. It took me a few seconds to
>>> figure out where to put default options for all sudo rules.
>>
>> Can you please open an RFE in trac?
>> https://fedorahosted.org/freeipa
>>
>
> Ok.
>
>
>>
>>
>>>
>>> 3. sudo integration with SSSD does not work when anonymous LDAP
>>> authentication is disabled at the server. Enabling verbose logging in SSSD seem to suggest that
>>> it's attempting  anonymous auth only. (sssd-1.8.4-14.fc17.x86_64)
>>>
>>
>> Which integration you are trying? The one that was tech preview in 1.8?
>> The one that makes SSSD cache sudo rules? It was significantly rewritten
>> in 1.9. Can you please try with 1.9?
>>
>
> This was F17. There is F17 packages for 1.9 somewhere? Will 1.9 be in the next update of RHEL 6?
>
>>
>>>
>>> 4. Having spaces in sudo options (such as "env_keep = 'ENV_VAR'") make
>>> sudo display these options as errors when sudo debugging is enabled (sudoers_debug 1 in
>>> /etc/ldap.conf or /etc/sudo-ldap.conf):
>>> sudo: unknown defaults entry `env_keep '
>>>
>>
>> Yes. This is a known issue already filed as a ticket.
>>
>
> OK
>
>>
>>>
>>> 5. It would be great to have a set of sudo commands and a set of sudo
>>> command groups installed by default.
>>
>> Can you make a proposal about what groups would you like to see in an RFE?
>> https://fedorahosted.org/freeipa
>>
>
> Sure. I do believe in having only 1 sudoers source, either a file or ldap. So I I believe the
> contents of the file /etc/sudoers distributed with the sudoers package is a good starting point.
>
>
>
>
>>
>>
>>>
>>> 6. Adding a sudo command having multiple commands listed (such as:
>>> "/sbin/route, /sbin/ifconfig, /bin/ping
>>> <https://lieipa01.ix.nixtra.com/ipa/ui/#/sbin/route,%20/sbin/ifconfig,%20/bin/ping,%20/sbin/dhcl
>>> ient,%20/usr/bin/net,%20/sbin/iptables,%20/usr/bin/%20rfcomm,%20/usr/bin/wvdial,%20/sbin/iwconf
>>> ig,%20/sbin/mii-tool>") is allowed in IPA and does list it correctly as allowed commands when
>>> doing "sudo -l", however attempting to execute one of the commands in the list using sudo fails.
>>>
>>>
>>
>> Can you please try SSSD 1.9?
>
> Sure, but I'm not sure how that is going to matter as this is sudo returning an error. How is it
> expected to be different when the information is coming from a different source?
>
> I believe we have to do the LDAP way and not the SSSD way in production though as we have clients
> such as older RHEL and Solaris as well besides RHEL 6. So this should be fixed regardsless of
> where the sudo source is coming from. And I believe we are not alone here in having a mixed
> environment... :)

Your command is allowing a user to pass the arguments /sbin/ifconfig, 
/bin/ping to /sbin/iparoute, (note the commas). A sudo command is a 
single invocation of a command.

rob