[Freeipa-users] sudo !requiretty !authenticate
Pavel Březina
pbrezina at redhat.com
Thu Jan 8 19:15:47 UTC 2015
On 01/08/2015 07:54 PM, Craig White wrote:
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Thursday, January 08, 2015 9:33 AM
> To: Craig White; Martin Kosek; Pavel Březina; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] sudo !requiretty !authenticate
>
> Craig White wrote:
>> -----Original Message-----
>> From: freeipa-users-bounces at redhat.com
>> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Martin Kosek
>> Sent: Thursday, January 08, 2015 5:30 AM
>> To: Pavel Březina; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] sudo !requiretty !authenticate
>>
>> On 01/08/2015 10:45 AM, Pavel Březina wrote:
>>> On 01/07/2015 06:32 PM, Craig White wrote:
>>>> Still struggling with this...
>>>>
>>>> $ sudo /sbin/service pe-puppet restart
>>>> [sudo] password for rundeck:
>>>> Stopping puppet: [ OK ]
>>>> Starting puppet: [ OK ]
>>>>
>>>> So it asks for the password even though, via FreeIPA it isn't required...
>>>>
>>>> $ sudo -l
>>>> Matching Defaults entries for rundeck on this host:
>>>> requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
>>>> DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
>>>> PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
>>>> LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
>>>> LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
>>>> LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
>>>> secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
>>>>
>>>> User rundeck may run the following commands on this host:
>>>> (root) ALL
>>>> (ALL) NOPASSWD: ALL
>>>
>>> Hi,
>>> thank you, I was just going to ask you for sudo -l. I believe that
>>> the problem is that (root) ALL rule takes precedence. Or to be more
>>> precise, the first rule that matches is always applied, unless
>>> sudoOrder attribute is present (but that is not supported by IPA, is it?).
>>
>> JFTR, sudoOrder *is* supported in FreeIPA, since FreeIPA 3.3.4 (upstream ticket https://fedorahosted.org/freeipa/ticket/4107).
>>
>> ----
>> I see said the blind man. Obviously the root/ALL rule is part and parcel of RHEL distribution of sudo package.
>>
>> $ rpm -q ipa-server
>> ipa-server-3.0.0-42.el6.x86_64
>>
>> $ cat sudoOrder.ldif
>> dn: cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config
>> changetype: modify
>> add: schema-compat-entry-attribute
>> schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
>>
>> $ ldapmodify -x -h `hostname` -D "cn=Directory Manager" -W -f
>> sudoOrder.ldif Enter LDAP Password:
>> modifying entry "cn=suoders,cn=Schema Compatibility,cn=plugins,cn=config"
>> ldap_modify: No such object (32)
>> additional info: Range Check error
>>
>> bummer :-(
>
> You have a typo, suoders instead of sudoers.
>
> You might also experiment with order in the sudoers entry in /etc/nsswitch.conf, try sss files. Or if you don't intend on storing any rules in files, perhaps drop it.
> ----
> Thanks for catching my typo - my bad.
>
> This is interesting. First tried 'sss files' and then just 'sss' for sudoers in nsswitch.conf but no go.
>
> $ sudo -l
>
> We trust you have received the usual lecture from the local System
> Administrator. It usually boils down to these three things:
>
> #1) Respect the privacy of others.
> #2) Think before you type.
> #3) With great power comes great responsibility.
>
> [sudo] password for rundeck:
> Matching Defaults entries for rundeck on this host:
> !requiretty
>
> User rundeck may run the following commands on this host:
> (root) ALL
> (ALL) NOPASSWD: ALL
>
> So !authenticate doesn't show up even though I have had the rule in ipa for 2 days now.
Hi,
!authenticate does show up. It shows up as word NOPASSWD, in the rule list.
> $ ipa sudorule-show rundeck
> Rule name: rundeck
> Enabled: TRUE
> Host category: all
> Command category: all
> RunAs User category: all
> RunAs Group category: all
> Users: rundeck
> Sudo Option: !authenticate
>
> That '(root) ALL' rule doesn't come from /etc/sudoers as I thought because nsswitch.conf presently only uses sss for sudoers. I still don't see where it actually comes from though...
It may come from all of the rules below expect rundeck. What groups is
the user you are running sudo as member of? If he is member of one of
the groups puppet, sysadmin, sysengineer that the rules below containing
sudoCommand: ALL and not containing sudoRunAsUser: ALL shows up as
(root): ALL.
>
> $ ldapsearch -x -h `hostname` -D "cn=Directory Manager" -W -b ou=sudoers,dc=stt,dc=local
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <ou=sudoers,dc=stt,dc=local> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # sudoers, stt.local
> dn: ou=sudoers,dc=stt,dc=local
> objectClass: extensibleObject
> ou: sudoers
>
> # defaults, sudoers, stt.local
> dn: cn=defaults,ou=sudoers,dc=stt,dc=local
> objectClass: sudoRole
> sudoOption: !requiretty
> cn: defaults
>
> # rundeck, sudoers, stt.local
> dn: cn=rundeck,ou=sudoers,dc=stt,dc=local
> objectClass: sudoRole
> sudoUser: rundeck
> sudoHost: ALL
> sudoCommand: ALL
> sudoRunAsUser: ALL
> sudoOption: !authenticate
> cn: rundeck
>
> # puppet, sudoers, stt.local
> dn: cn=puppet,ou=sudoers,dc=stt,dc=local
> objectClass: sudoRole
> sudoUser: %puppet
> sudoHost: +puppet
> sudoCommand: ALL
> cn: puppet
>
> # sysengineers, sudoers, stt.local
> dn: cn=sysengineers,ou=sudoers,dc=stt,dc=local
> objectClass: sudoRole
> sudoUser: %sysengineer
> sudoHost: ALL
> sudoCommand: ALL
> cn: sysengineers
>
> # sysadmins, sudoers, stt.local
> dn: cn=sysadmins,ou=sudoers,dc=stt,dc=local
> objectClass: sudoRole
> sudoUser: %sysadmin
> sudoHost: ALL
> sudoCommand: ALL
> cn: sysadmins
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 7
> # numEntries: 6
>
More information about the Freeipa-users
mailing list