[Freeipa-users] sudo !requiretty !authenticate

Rob Crittenden rcritten at redhat.com
Thu Jan 8 16:32:34 UTC 2015 

Craig White wrote:
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin Kosek
> Sent: Thursday, January 08, 2015 5:30 AM
> To: Pavel Březina; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] sudo !requiretty !authenticate
> 
> On 01/08/2015 10:45 AM, Pavel Březina wrote:
>> On 01/07/2015 06:32 PM, Craig White wrote:
>>> Still struggling with this...
>>>
>>> $ sudo /sbin/service pe-puppet restart
>>>   [sudo] password for rundeck:
>>> Stopping puppet:                                           [  OK  ]
>>> Starting puppet:                                           [  OK  ]
>>>
>>> So it asks for the password even though, via FreeIPA it isn't required...
>>>
>>> $ sudo -l
>>> Matching Defaults entries for rundeck on this host:
>>>      requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
>>>      DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
>>>      PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
>>>      LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
>>>      LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
>>>      LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
>>>      secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
>>>
>>> User rundeck may run the following commands on this host:
>>>      (root) ALL
>>>      (ALL) NOPASSWD: ALL
>>
>> Hi,
>> thank you, I was just going to ask you for sudo -l. I believe that the 
>> problem is that (root) ALL rule takes precedence. Or to be more 
>> precise, the first rule that matches is always applied, unless 
>> sudoOrder attribute is present (but that is not supported by IPA, is it?).
> 
> JFTR, sudoOrder *is* supported in FreeIPA, since FreeIPA 3.3.4 (upstream ticket https://fedorahosted.org/freeipa/ticket/4107).
> 
> ----
> I see said the blind man. Obviously the root/ALL rule is part and parcel of RHEL distribution of sudo package.
> 
> $ rpm -q ipa-server
> ipa-server-3.0.0-42.el6.x86_64
> 
> $ cat sudoOrder.ldif
> dn: cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config
> changetype: modify
> add: schema-compat-entry-attribute
> schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
> 
> $ ldapmodify -x -h `hostname` -D "cn=Directory Manager" -W -f sudoOrder.ldif
> Enter LDAP Password:
> modifying entry "cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config"
> ldap_modify: No such object (32)
>         additional info: Range Check error
> 
> bummer   :-(

You have a typo, suoders instead of sudoers.

You might also experiment with order in the sudoers entry in
/etc/nsswitch.conf, try sss files. Or if you don't intend on storing any
rules in files, perhaps drop it.

> $ ldapsearch -x -h `hostname` -D cn="directory manager" -W -b cn=plugins,cn=config '(cn=sudoers)'
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <cn=plugins,cn=config> with scope subtree
> # filter: (cn=sudoers)
> # requesting: ALL
> #
> 
> # sudoers, Schema Compatibility, plugins, config
> dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
> schema-compat-entry-attribute: objectclass=sudoRole
> schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%{ex
>  ternalUser}")
> schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%der
>  ef_f(\"memberUser\",\"(objectclass=posixAccount)\",\"uid\")")
> schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%der
>  ef_rf(\"memberUser\",\"(&(objectclass=ipaUserGroup)(!(objectclass=posixGroup)
>  ))\",\"member\",\"(|(objectclass=ipaUserGroup)(objectclass=posixAccount))\",\
>  "uid\")")
> schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","%%%d
>  eref_f(\"memberUser\",\"(objectclass=posixGroup)\",\"cn\")")
> schema-compat-entry-attribute: sudoUser=%ifeq("userCategory","all","ALL","+%de
>  ref_f(\"memberUser\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")
> schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%{ex
>  ternalHost}")
> schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%der
>  ef_f(\"memberHost\",\"(objectclass=ipaHost)\",\"fqdn\")")
> schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","%der
>  ef_rf(\"memberHost\",\"(&(objectclass=ipaHostGroup)(!(objectclass=mepOriginEn
>  try)))\",\"member\",\"(|(objectclass=ipaHostGroup)(objectclass=ipaHost))\",\"
>  fqdn\")")
> schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%de
>  ref_f(\"memberHost\",\"(&(objectclass=ipaHostGroup)(objectclass=mepOriginEntr
>  y))\",\"cn\")")
> schema-compat-entry-attribute: sudoHost=%ifeq("hostCategory","all","ALL","+%de
>  ref_f(\"memberHost\",\"(objectclass=ipaNisNetgroup)\",\"cn\")")
> schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%d
>  eref(\"memberAllowCmd\",\"sudoCmd\")")
> schema-compat-entry-attribute: sudoCommand=%ifeq("cmdCategory","all","ALL","%d
>  eref_r(\"memberAllowCmd\",\"member\",\"sudoCmd\")")
> schema-compat-entry-attribute: sudoCommand=!%deref("memberDenyCmd","sudoCmd")
> schema-compat-entry-attribute: sudoCommand=!%deref_r("memberDenyCmd","member",
>  "sudoCmd")
> schema-compat-entry-attribute: sudoRunAsUser=%{ipaSudoRunAsExtUser}
> schema-compat-entry-attribute: sudoRunAsUser=%deref("ipaSudoRunAs","uid")
> schema-compat-entry-attribute: sudoRunAsUser=%ifeq("ipaSudoRunAsUserCategory",
>  "all","ALL","%%%deref_f(\"ipaSudoRunAs\",\"(objectclass=posixGroup)\",\"cn\")
>  ")
> schema-compat-entry-attribute: sudoRunAsGroup=%{ipaSudoRunAsExtGroup}
> schema-compat-entry-attribute: sudoOption=%{ipaSudoOpt}
> schema-compat-entry-attribute: sudoRunAsGroup=%deref_f("ipaSudoRunAsGroup","(o
>  bjectclass=posixGroup)","cn")
> cn: sudoers
> objectClass: top
> objectClass: extensibleObject
> schema-compat-search-filter: (&(objectclass=ipaSudoRule)(!(compatVisible=FALSE
>  ))(!(ipaEnabledFlag=FALSE)))
> schema-compat-entry-rdn: %ifeq("ipaEnabledFlag", "FALSE", "DISABLED", "cn=%{cn
>  }")
> schema-compat-search-base: cn=sudorules, cn=sudo, dc=stt-internal,dc=local
> schema-compat-container-group: ou=SUDOers, dc=stt-internal,dc=local
> 
> # search result
> search: 2
> result: 0 Success
> 
> Any hope for me to make this happen on this version or did I just commit to having Puppet manage /etc/sudoers on all of the systems?
>

More information about the Freeipa-users mailing list