[Freeipa-users] Sudo rule processing order

Fri Jan 10 16:28:54 UTC 2014

Ah, I think I found the root cause. Our sudoers compat tree configuration
missed out the sudoOrder attribute. The order was thus missing in LDAP sudoers
and thus ineffective. I filed an upstream ticket to fix it:
https://fedorahosted.org/freeipa/ticket/4107

However, to hotfix it in your environment, could you try manually fixing the
configuration on your FreeIPA server?

$ ldapmodify -h `hostname` -D "cn=Directory Manager" -x -W
dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
changetype: modify
add: schema-compat-entry-attribute
schema-compat-entry-attribute: sudoOrder=%{sudoOrder}

This should do the trick.

Martin

On 01/10/2014 05:17 PM, Martin Kosek wrote:
> On 01/10/2014 04:52 PM, Fred van Zwieten wrote:
>> Yes, you would expect that to help, wouldn't you :-)
> 
> Yes, I would :-)
> 
>>
>> Didn't even know this existed. Thanks for that.
>>
>> User has 3 sudo rules. I have set the allow_all rule to 1, the second rule
>> to 2 and the cobbler (with the "!authenticate" option) rule to 99:
> 
> What is the version of the SUDO on your system? According to
> http://www.sudo.ws/sudoers.ldap.man.html
> it was implemented in SUDO 1.7.5.
> 
> Martin
> 
>>
>> User ******** may run the following commands on this host:
>>     (root) ALL
>>     (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls, /bin/more,
>> /usr/bin/less, !/bin/su
>>     (root) NOPASSWD: /usr/bin/cobbler
>>     (root) !/bin/su
>>
>> Nope. Didn't help.
>>
>> Fred
>>
>> On Fri, Jan 10, 2014 at 3:59 PM, Martin Kosek <mkosek at redhat.com> wrote:
>>
>>> On 01/10/2014 11:52 AM, Fred van Zwieten wrote:
>>>> Hi,
>>>>
>>>> I have a sudo rule in IPA that has the !authenticate option added to
>>> enable
>>>> admins to execute certain programs as root without authentication.
>>>>
>>>> It doesn't work. There is another rule for the admins that allow all
>>>> commands as long as they give their password.
>>>>
>>>> In a sudoers file, you can solve this by specifing the nopasswd rule as
>>>> last.
>>>>
>>>> sudo -l from an IPA-client gives me this:
>>>>
>>>> *******@svr001 ~]$ sudo -l
>>>> Matching Defaults entries for ******* on this host:
>>>>     requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
>>>>     DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL
>>> PS1
>>>>     PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
>>>>     LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
>>>>     LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
>>>>     LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
>>>>     secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
>>>>
>>>> User ******** may run the following commands on this host:
>>>>     (root) NOPASSWD: ALL
>>>>     (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls,
>>> /bin/more,
>>>>     /usr/bin/less, !/bin/su
>>>>     (root) NOPASSWD: /usr/bin/cobbler
>>>>     (root) !/bin/su
>>>>
>>>> I want the cobbler command to run without password authentication. What
>>> am
>>>> I doing wrong?
>>>>
>>>
>>> Would setting SUDO rule order help?
>>>
>>> # ipa sudorule-mod -h
>>> ...
>>>   --order=INT           integer to order the Sudo rules
>>> ...
>>>
>>> Martin
>>>
>>>
>>
> 