[Freeipa-users] sudo !requiretty !authenticate

Craig White CWhite at skytouchtechnology.com
Thu Jan 8 18:54:47 UTC 2015 

-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com] 
Sent: Thursday, January 08, 2015 9:33 AM
To: Craig White; Martin Kosek; Pavel Březina; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] sudo !requiretty !authenticate

Craig White wrote:
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com 
> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin Kosek
> Sent: Thursday, January 08, 2015 5:30 AM
> To: Pavel Březina; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] sudo !requiretty !authenticate
> 
> On 01/08/2015 10:45 AM, Pavel Březina wrote:
>> On 01/07/2015 06:32 PM, Craig White wrote:
>>> Still struggling with this...
>>>
>>> $ sudo /sbin/service pe-puppet restart
>>>   [sudo] password for rundeck:
>>> Stopping puppet:                                           [  OK  ]
>>> Starting puppet:                                           [  OK  ]
>>>
>>> So it asks for the password even though, via FreeIPA it isn't required...
>>>
>>> $ sudo -l
>>> Matching Defaults entries for rundeck on this host:
>>>      requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
>>>      DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
>>>      PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
>>>      LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
>>>      LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
>>>      LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
>>>      secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
>>>
>>> User rundeck may run the following commands on this host:
>>>      (root) ALL
>>>      (ALL) NOPASSWD: ALL
>>
>> Hi,
>> thank you, I was just going to ask you for sudo -l. I believe that 
>> the problem is that (root) ALL rule takes precedence. Or to be more 
>> precise, the first rule that matches is always applied, unless 
>> sudoOrder attribute is present (but that is not supported by IPA, is it?).
> 
> JFTR, sudoOrder *is* supported in FreeIPA, since FreeIPA 3.3.4 (upstream ticket https://fedorahosted.org/freeipa/ticket/4107).
> 
> ----
> I see said the blind man. Obviously the root/ALL rule is part and parcel of RHEL distribution of sudo package.
> 
> $ rpm -q ipa-server
> ipa-server-3.0.0-42.el6.x86_64
> 
> $ cat sudoOrder.ldif
> dn: cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config
> changetype: modify
> add: schema-compat-entry-attribute
> schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
> 
> $ ldapmodify -x -h `hostname` -D "cn=Directory Manager" -W -f 
> sudoOrder.ldif Enter LDAP Password:
> modifying entry "cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config"
> ldap_modify: No such object (32)
>         additional info: Range Check error
> 
> bummer   :-(

You have a typo, suoders instead of sudoers.

You might also experiment with order in the sudoers entry in /etc/nsswitch.conf, try sss files. Or if you don't intend on storing any rules in files, perhaps drop it.
----
Thanks for catching my typo - my bad.

This is interesting. First tried 'sss files' and then just 'sss' for sudoers in nsswitch.conf but no go.

$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for rundeck:
Matching Defaults entries for rundeck on this host:
    !requiretty

User rundeck may run the following commands on this host:
    (root) ALL
    (ALL) NOPASSWD: ALL

So !authenticate doesn't show up even though I have had the rule in ipa for 2 days now.
$ ipa sudorule-show rundeck
  Rule name: rundeck
  Enabled: TRUE
  Host category: all
  Command category: all
  RunAs User category: all
  RunAs Group category: all
  Users: rundeck
  Sudo Option: !authenticate

That '(root) ALL' rule doesn't come from /etc/sudoers as I thought because nsswitch.conf presently only uses sss for sudoers. I still don't see where it actually comes from though...

$ ldapsearch -x -h `hostname` -D "cn=Directory Manager" -W -b ou=sudoers,dc=stt,dc=local
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=sudoers,dc=stt,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# sudoers, stt.local
dn: ou=sudoers,dc=stt,dc=local
objectClass: extensibleObject
ou: sudoers

# defaults, sudoers, stt.local
dn: cn=defaults,ou=sudoers,dc=stt,dc=local
objectClass: sudoRole
sudoOption: !requiretty
cn: defaults

# rundeck, sudoers, stt.local
dn: cn=rundeck,ou=sudoers,dc=stt,dc=local
objectClass: sudoRole
sudoUser: rundeck
sudoHost: ALL
sudoCommand: ALL
sudoRunAsUser: ALL
sudoOption: !authenticate
cn: rundeck

# puppet, sudoers, stt.local
dn: cn=puppet,ou=sudoers,dc=stt,dc=local
objectClass: sudoRole
sudoUser: %puppet
sudoHost: +puppet
sudoCommand: ALL
cn: puppet

# sysengineers, sudoers, stt.local
dn: cn=sysengineers,ou=sudoers,dc=stt,dc=local
objectClass: sudoRole
sudoUser: %sysengineer
sudoHost: ALL
sudoCommand: ALL
cn: sysengineers

# sysadmins, sudoers, stt.local
dn: cn=sysadmins,ou=sudoers,dc=stt,dc=local
objectClass: sudoRole
sudoUser: %sysadmin
sudoHost: ALL
sudoCommand: ALL
cn: sysadmins

# search result
search: 2
result: 0 Success

# numResponses: 7
# numEntries: 6

More information about the Freeipa-users mailing list