[Freeipa-users] (no subject)
Pavel Březina
pbrezina at redhat.com
Thu Oct 8 15:26:38 UTC 2015
On 10/08/2015 04:26 PM, Karl Forner wrote:
> Hi,
>
>
>> you are prompted for password because (ALL) ALL rule is applied because of last-match rule. > > > See: http://www.sudo.ws/man/1.8.13/sudoers.ldap.man.html sudoOrder.
>
> Ok. I updated the rules to use a sudoorder attribute of 100 for the
> /usr/bin/less sudo rule.
> Now, if I type in a terminal:
> %sudo -l
> Matching Defaults entries for karl on midgard:
> env_reset, mail_badpass,
> secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
>
> User karl may run the following commands on xxxx:
> (ALL) ALL
> (root) NOPASSWD: /usr/bin/git status, /usr/local/bin/git status
> (ALL) ALL
> (ALL) NOPASSWD: /usr/bin/less
>
> so my less rule is the last one. So far so good.
>
> %sudo -l less
> /usr/bin/less
>
> but if I type in a new terminal:
> %sudo less .bashrc
> [sudo] password for karl:
>
> I am prompted to type in a password.
>
> So there seems to be a problem, right ?
>
> Regards,
> Karl
>
Hi,
we have a bug in sssd in versions prior 1.13.1:
https://fedorahosted.org/sssd/ticket/2682
where sudoOrder attribute is treated the other ways around. Please, try
inverting the order. What version of sssd do you use?
More information about the Freeipa-users
mailing list