[Freeipa-users] IPA and SSSD sudo
Troels Hansen
th at casalogic.dk
Wed Feb 15 10:04:47 UTC 2017
Hi there
We have a strange problem.......
We're trying to override options in sudo rules from IPA, in this case secure_path:
sudo -ll reports:
RunAsUsers: root
Options: requiretty, lecture=always, timestamp_timeout=0, !authenticate, secure_path=/bin:/usr/bin:/usr/local/bin
Commands:
stopinst
/usr/local/bin/stopinst
/usr/local/bin/startinst
/bin/mount /rman
/usr/bin/su - root
/usr/local/bin is also in my local path:
$ echo $PATH
/usr/local/bin:/usr/bin:/usr/local/sbin..........
For easyness, stopinst is currently quite simple:
$ cat /usr/local/bin/stopinst
#!/bin/bash
echo stopinst
echo "Path: $PATH"
I can execute the script a normal user, using full path or just the command:
$ stopinst
stopinst
Path: /usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/net.dr.dk/drextrha/.local/bin:/home/net.dr.dk/drextrha/bin
However, trying to execute the script using sudo fails:
$ sudo stopinst
[sudo] password for drextrha:
sudo: stopinst: command not found
Unless using full path:
$ sudo /usr/local/bin/stopinst
stopinst
Path: /bin:/usr/bin:/usr/local/bin
Secure path in sudoers is:
# grep secure_path /etc/sudoers
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
If I change the secure_path in local sudoers to include /usr/local/bin:
# grep secure_path /etc/sudoers
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
I can execute the command using sudo:
$ sudo stopinst
stopinst
Path: /bin:/usr/bin:/usr/local/bin
Soooo...... something gets overwritten somewhere that shouldn't???
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170215/6244597d/attachment.htm>
More information about the Freeipa-users
mailing list