[Freeipa-users] Sudo rule processing order

[Fred van Zwieten]

Martin,

Sorry for the late reply.

Thanks for spotting this. I suspect I cannot "just" change ldap in our IPA.
This is part of a production environment consisting solely of supported
RHEL 6.4 servers. I can snapshot the IPA servers (they are VM's) to be able
to roll back in case of trouble, but I am not sure such a change is
"supported".

Fred


On Fri, Jan 10, 2014 at 5:28 PM, Martin Kosek <mkosek at redhat.com> wrote:

> Ah, I think I found the root cause. Our sudoers compat tree configuration
> missed out the sudoOrder attribute. The order was thus missing in LDAP
> sudoers
> and thus ineffective. I filed an upstream ticket to fix it:
> https://fedorahosted.org/freeipa/ticket/4107
>
> However, to hotfix it in your environment, could you try manually fixing
> the
> configuration on your FreeIPA server?
>
> $ ldapmodify -h `hostname` -D "cn=Directory Manager" -x -W
> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
> changetype: modify
> add: schema-compat-entry-attribute
> schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
>
>
> This should do the trick.
>
> Martin
>
> On 01/10/2014 05:17 PM, Martin Kosek wrote:
> > On 01/10/2014 04:52 PM, Fred van Zwieten wrote:
> >> Yes, you would expect that to help, wouldn't you :-)
> >
> > Yes, I would :-)
> >
> >>
> >> Didn't even know this existed. Thanks for that.
> >>
> >> User has 3 sudo rules. I have set the allow_all rule to 1, the second
> rule
> >> to 2 and the cobbler (with the "!authenticate" option) rule to 99:
> >
> > What is the version of the SUDO on your system? According to
> > http://www.sudo.ws/sudoers.ldap.man.html
> > it was implemented in SUDO 1.7.5.
> >
> > Martin
> >
> >>
> >> User ******** may run the following commands on this host:
> >>     (root) ALL
> >>     (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls,
> /bin/more,
> >> /usr/bin/less, !/bin/su
> >>     (root) NOPASSWD: /usr/bin/cobbler
> >>     (root) !/bin/su
> >>
> >> Nope. Didn't help.
> >>
> >> Fred
> >>
> >> On Fri, Jan 10, 2014 at 3:59 PM, Martin Kosek <mkosek at redhat.com>
> wrote:
> >>
> >>> On 01/10/2014 11:52 AM, Fred van Zwieten wrote:
> >>>> Hi,
> >>>>
> >>>> I have a sudo rule in IPA that has the !authenticate option added to
> >>> enable
> >>>> admins to execute certain programs as root without authentication.
> >>>>
> >>>> It doesn't work. There is another rule for the admins that allow all
> >>>> commands as long as they give their password.
> >>>>
> >>>> In a sudoers file, you can solve this by specifing the nopasswd rule
> as
> >>>> last.
> >>>>
> >>>> sudo -l from an IPA-client gives me this:
> >>>>
> >>>> *******@svr001 ~]$ sudo -l
> >>>> Matching Defaults entries for ******* on this host:
> >>>>     requiretty, !visiblepw, always_set_home, env_reset,
> env_keep="COLORS
> >>>>     DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
> env_keep+="MAIL
> >>> PS1
> >>>>     PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
> env_keep+="LC_COLLATE
> >>>>     LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
> env_keep+="LC_MONETARY
> >>>>     LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
> LC_ALL
> >>>>     LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
> >>>>     secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
> >>>>
> >>>> User ******** may run the following commands on this host:
> >>>>     (root) NOPASSWD: ALL
> >>>>     (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls,
> >>> /bin/more,
> >>>>     /usr/bin/less, !/bin/su
> >>>>     (root) NOPASSWD: /usr/bin/cobbler
> >>>>     (root) !/bin/su
> >>>>
> >>>> I want the cobbler command to run without password authentication.
> What
> >>> am
> >>>> I doing wrong?
> >>>>
> >>>
> >>> Would setting SUDO rule order help?
> >>>
> >>> # ipa sudorule-mod -h
> >>> ...
> >>>   --order=INT           integer to order the Sudo rules
> >>> ...
> >>>
> >>> Martin
> >>>
> >>>
> >>
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140113/49e8fb54/attachment.htm>