[Freeipa-users] Sudo rule processing order

Mon Jan 13 15:18:15 UTC 2014

Ok, that's up to your preference.

The hotfix below worked for me in my test environment and is pretty low risk.
But of course, it is not "RHEL rubber stamped". Eventually, you can evaluate
the fix yourself in a test environment.

HTH,
Martin

On 01/13/2014 02:41 PM, Fred van Zwieten wrote:
> Martin,
> 
> Sorry for the late reply.
> 
> Thanks for spotting this. I suspect I cannot "just" change ldap in our IPA.
> This is part of a production environment consisting solely of supported
> RHEL 6.4 servers. I can snapshot the IPA servers (they are VM's) to be able
> to roll back in case of trouble, but I am not sure such a change is
> "supported".
> 
> Fred
> 
> 
> On Fri, Jan 10, 2014 at 5:28 PM, Martin Kosek <mkosek at redhat.com> wrote:
> 
>> Ah, I think I found the root cause. Our sudoers compat tree configuration
>> missed out the sudoOrder attribute. The order was thus missing in LDAP
>> sudoers
>> and thus ineffective. I filed an upstream ticket to fix it:
>> https://fedorahosted.org/freeipa/ticket/4107
>>
>> However, to hotfix it in your environment, could you try manually fixing
>> the
>> configuration on your FreeIPA server?
>>
>> $ ldapmodify -h `hostname` -D "cn=Directory Manager" -x -W
>> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
>> changetype: modify
>> add: schema-compat-entry-attribute
>> schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
>>
>>
>> This should do the trick.
>>
>> Martin
>>
>> On 01/10/2014 05:17 PM, Martin Kosek wrote:
>>> On 01/10/2014 04:52 PM, Fred van Zwieten wrote:
>>>> Yes, you would expect that to help, wouldn't you :-)
>>>
>>> Yes, I would :-)
>>>
>>>>
>>>> Didn't even know this existed. Thanks for that.
>>>>
>>>> User has 3 sudo rules. I have set the allow_all rule to 1, the second
>> rule
>>>> to 2 and the cobbler (with the "!authenticate" option) rule to 99:
>>>
>>> What is the version of the SUDO on your system? According to
>>> http://www.sudo.ws/sudoers.ldap.man.html
>>> it was implemented in SUDO 1.7.5.
>>>
>>> Martin
>>>
>>>>
>>>> User ******** may run the following commands on this host:
>>>>     (root) ALL
>>>>     (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls,
>> /bin/more,
>>>> /usr/bin/less, !/bin/su
>>>>     (root) NOPASSWD: /usr/bin/cobbler
>>>>     (root) !/bin/su
>>>>
>>>> Nope. Didn't help.
>>>>
>>>> Fred
>>>>
>>>> On Fri, Jan 10, 2014 at 3:59 PM, Martin Kosek <mkosek at redhat.com>
>> wrote:
>>>>
>>>>> On 01/10/2014 11:52 AM, Fred van Zwieten wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I have a sudo rule in IPA that has the !authenticate option added to
>>>>> enable
>>>>>> admins to execute certain programs as root without authentication.
>>>>>>
>>>>>> It doesn't work. There is another rule for the admins that allow all
>>>>>> commands as long as they give their password.
>>>>>>
>>>>>> In a sudoers file, you can solve this by specifing the nopasswd rule
>> as
>>>>>> last.
>>>>>>
>>>>>> sudo -l from an IPA-client gives me this:
>>>>>>
>>>>>> *******@svr001 ~]$ sudo -l
>>>>>> Matching Defaults entries for ******* on this host:
>>>>>>     requiretty, !visiblepw, always_set_home, env_reset,
>> env_keep="COLORS
>>>>>>     DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS",
>> env_keep+="MAIL
>>>>> PS1
>>>>>>     PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
>> env_keep+="LC_COLLATE
>>>>>>     LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
>> env_keep+="LC_MONETARY
>>>>>>     LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME
>> LC_ALL
>>>>>>     LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
>>>>>>     secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
>>>>>>
>>>>>> User ******** may run the following commands on this host:
>>>>>>     (root) NOPASSWD: ALL
>>>>>>     (root) /bin/cat, /bin/egrep, /bin/find, /bin/grep, /bin/ls,
>>>>> /bin/more,
>>>>>>     /usr/bin/less, !/bin/su
>>>>>>     (root) NOPASSWD: /usr/bin/cobbler
>>>>>>     (root) !/bin/su
>>>>>>
>>>>>> I want the cobbler command to run without password authentication.
>> What
>>>>> am
>>>>>> I doing wrong?
>>>>>>
>>>>>
>>>>> Would setting SUDO rule order help?
>>>>>
>>>>> # ipa sudorule-mod -h
>>>>> ...
>>>>>   --order=INT           integer to order the Sudo rules
>>>>> ...
>>>>>
>>>>> Martin
>>>>>
>>>>>
>>>>
>>>
>>
>>
> 