[Freeipa-users] IPA and SSSD sudo

[Troels Hansen]

Hi there 

We have a strange problem....... 

We're trying to override options in sudo rules from IPA, in this case secure_path: 

sudo -ll reports: 

RunAsUsers: root 
Options: requiretty, lecture=always, timestamp_timeout=0, !authenticate, secure_path=/bin:/usr/bin:/usr/local/bin 
Commands: 
stopinst 
/usr/local/bin/stopinst 
/usr/local/bin/startinst 
/bin/mount /rman 
/usr/bin/su - root 

/usr/local/bin is also in my local path: 

$ echo $PATH 
/usr/local/bin:/usr/bin:/usr/local/sbin.......... 

For easyness, stopinst is currently quite simple: 

$ cat /usr/local/bin/stopinst 
#!/bin/bash 
echo stopinst 
echo "Path: $PATH" 

I can execute the script a normal user, using full path or just the command: 
$ stopinst 
stopinst 
Path: /usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/net.dr.dk/drextrha/.local/bin:/home/net.dr.dk/drextrha/bin 

However, trying to execute the script using sudo fails: 
$ sudo stopinst 
[sudo] password for drextrha: 
sudo: stopinst: command not found 

Unless using full path: 
$ sudo /usr/local/bin/stopinst 
stopinst 
Path: /bin:/usr/bin:/usr/local/bin 

Secure path in sudoers is: 
# grep secure_path /etc/sudoers 
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin 

If I change the secure_path in local sudoers to include /usr/local/bin: 
# grep secure_path /etc/sudoers 
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin 

I can execute the command using sudo: 

$ sudo stopinst 
stopinst 
Path: /bin:/usr/bin:/usr/local/bin 

Soooo...... something gets overwritten somewhere that shouldn't??? 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170215/6244597d/attachment.htm>