[Freeipa-users] sudo !requiretty !authenticate
Rob Crittenden
rcritten at redhat.com
Thu Jan 8 19:05:54 UTC 2015
Craig White wrote:
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Thursday, January 08, 2015 9:33 AM
> To: Craig White; Martin Kosek; Pavel Březina; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] sudo !requiretty !authenticate
>
> Craig White wrote:
>> -----Original Message-----
>> From: freeipa-users-bounces at redhat.com
>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin Kosek
>> Sent: Thursday, January 08, 2015 5:30 AM
>> To: Pavel Březina; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] sudo !requiretty !authenticate
>>
>> On 01/08/2015 10:45 AM, Pavel Březina wrote:
>>> On 01/07/2015 06:32 PM, Craig White wrote:
>>>> Still struggling with this...
>>>>
>>>> $ sudo /sbin/service pe-puppet restart
>>>> [sudo] password for rundeck:
>>>> Stopping puppet: [ OK ]
>>>> Starting puppet: [ OK ]
>>>>
>>>> So it asks for the password even though, via FreeIPA it isn't required...
>>>>
>>>> $ sudo -l
>>>> Matching Defaults entries for rundeck on this host:
>>>> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
>>>> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
>>>> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
>>>> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
>>>> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
>>>> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
>>>> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
>>>>
>>>> User rundeck may run the following commands on this host:
>>>> (root) ALL
>>>> (ALL) NOPASSWD: ALL
>>>
>>> Hi,
>>> thank you, I was just going to ask you for sudo -l. I believe that
>>> the problem is that (root) ALL rule takes precedence. Or to be more
>>> precise, the first rule that matches is always applied, unless
>>> sudoOrder attribute is present (but that is not supported by IPA, is it?).
>>
>> JFTR, sudoOrder *is* supported in FreeIPA, since FreeIPA 3.3.4 (upstream ticket https://fedorahosted.org/freeipa/ticket/4107).
>>
>> ----
>> I see said the blind man. Obviously the root/ALL rule is part and parcel of RHEL distribution of sudo package.
>>
>> $ rpm -q ipa-server
>> ipa-server-3.0.0-42.el6.x86_64
>>
>> $ cat sudoOrder.ldif
>> dn: cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config
>> changetype: modify
>> add: schema-compat-entry-attribute
>> schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
>>
>> $ ldapmodify -x -h `hostname` -D "cn=Directory Manager" -W -f
>> sudoOrder.ldif Enter LDAP Password:
>> modifying entry "cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config"
>> ldap_modify: No such object (32)
>> additional info: Range Check error
>>
>> bummer :-(
>
> You have a typo, suoders instead of sudoers.
>
> You might also experiment with order in the sudoers entry in /etc/nsswitch.conf, try sss files. Or if you don't intend on storing any rules in files, perhaps drop it.
> ----
> Thanks for catching my typo - my bad.
>
> This is interesting. First tried 'sss files' and then just 'sss' for sudoers in nsswitch.conf but no go.
>
> $ sudo -l
>
> We trust you have received the usual lecture from the local System
> Administrator. It usually boils down to these three things:
>
> #1) Respect the privacy of others.
> #2) Think before you type.
> #3) With great power comes great responsibility.
>
> [sudo] password for rundeck:
> Matching Defaults entries for rundeck on this host:
> !requiretty
>
> User rundeck may run the following commands on this host:
> (root) ALL
> (ALL) NOPASSWD: ALL
>
> So !authenticate doesn't show up even though I have had the rule in ipa for 2 days now.
> $ ipa sudorule-show rundeck
> Rule name: rundeck
> Enabled: TRUE
> Host category: all
> Command category: all
> RunAs User category: all
> RunAs Group category: all
> Users: rundeck
> Sudo Option: !authenticate
>
> That '(root) ALL' rule doesn't come from /etc/sudoers as I thought because nsswitch.conf presently only uses sss for sudoers. I still don't see where it actually comes from though...
What groups is rundeck a member of?
rob
>
> $ ldapsearch -x -h `hostname` -D "cn=Directory Manager" -W -b ou=sudoers,dc=stt,dc=local
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <ou=sudoers,dc=stt,dc=local> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # sudoers, stt.local
> dn: ou=sudoers,dc=stt,dc=local
> objectClass: extensibleObject
> ou: sudoers
>
> # defaults, sudoers, stt.local
> dn: cn=defaults,ou=sudoers,dc=stt,dc=local
> objectClass: sudoRole
> sudoOption: !requiretty
> cn: defaults
>
> # rundeck, sudoers, stt.local
> dn: cn=rundeck,ou=sudoers,dc=stt,dc=local
> objectClass: sudoRole
> sudoUser: rundeck
> sudoHost: ALL
> sudoCommand: ALL
> sudoRunAsUser: ALL
> sudoOption: !authenticate
> cn: rundeck
>
> # puppet, sudoers, stt.local
> dn: cn=puppet,ou=sudoers,dc=stt,dc=local
> objectClass: sudoRole
> sudoUser: %puppet
> sudoHost: +puppet
> sudoCommand: ALL
> cn: puppet
>
> # sysengineers, sudoers, stt.local
> dn: cn=sysengineers,ou=sudoers,dc=stt,dc=local
> objectClass: sudoRole
> sudoUser: %sysengineer
> sudoHost: ALL
> sudoCommand: ALL
> cn: sysengineers
>
> # sysadmins, sudoers, stt.local
> dn: cn=sysadmins,ou=sudoers,dc=stt,dc=local
> objectClass: sudoRole
> sudoUser: %sysadmin
> sudoHost: ALL
> sudoCommand: ALL
> cn: sysadmins
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 7
> # numEntries: 6
>
More information about the Freeipa-users
mailing list