[Freeipa-users] IPA and SSSD sudo

Troels Hansen th at casalogic.dk
Wed Feb 15 13:44:18 UTC 2017 

The same rule works as expected if defined in the local sudoers file.

I think the problem is that secure_path in "Options" from IPA isn't taken into account.

As described, if I add the path to the one i local sudoers the sudo command from IPA works.


----- On Feb 15, 2017, at 2:38 PM, Jakub Hrozek jhrozek at redhat.com wrote:

> On Wed, Feb 15, 2017 at 11:04:47AM +0100, Troels Hansen wrote:
>> Hi there
>> 
>> We have a strange problem.......
>> 
>> We're trying to override options in sudo rules from IPA, in this case
>> secure_path:
>> 
>> sudo -ll reports:
>> 
>> RunAsUsers: root
>> Options: requiretty, lecture=always, timestamp_timeout=0, !authenticate,
>> secure_path=/bin:/usr/bin:/usr/local/bin
>> Commands:
>> stopinst
>> /usr/local/bin/stopinst
>> /usr/local/bin/startinst
>> /bin/mount /rman
>> /usr/bin/su - root
>> 
>> /usr/local/bin is also in my local path:
>> 
>> $ echo $PATH
>> /usr/local/bin:/usr/bin:/usr/local/sbin..........
>> 
>> For easyness, stopinst is currently quite simple:
>> 
>> $ cat /usr/local/bin/stopinst
>> #!/bin/bash
>> echo stopinst
>> echo "Path: $PATH"
>> 
>> I can execute the script a normal user, using full path or just the command:
>> $ stopinst
>> stopinst
>> Path:
>> /usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/home/net.dr.dk/drextrha/.local/bin:/home/net.dr.dk/drextrha/bin
>> 
>> However, trying to execute the script using sudo fails:
>> $ sudo stopinst
>> [sudo] password for drextrha:
>> sudo: stopinst: command not found
>> 
>> Unless using full path:
>> $ sudo /usr/local/bin/stopinst
>> stopinst
>> Path: /bin:/usr/bin:/usr/local/bin
>> 
>> Secure path in sudoers is:
>> # grep secure_path /etc/sudoers
>> Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
>> 
>> If I change the secure_path in local sudoers to include /usr/local/bin:
>> # grep secure_path /etc/sudoers
>> Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
>> 
>> I can execute the command using sudo:
>> 
>> $ sudo stopinst
>> stopinst
>> Path: /bin:/usr/bin:/usr/local/bin
>> 
>> Soooo...... something gets overwritten somewhere that shouldn't???
> 
> We shouldn't rewrite anything on the SSSD side. In general, when it
> comes to delivering SUDO rules, SSSD should more or less just act as a
> proxy.
> 
> Did you try to define a similar rule locally in /etc/sudoers to see if
> the same issue happens with a local rule? That should at least confirm
> or deny that the issue might be in SSSD.
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.

More information about the Freeipa-users mailing list