<div><br /> <div class="moz-cite-prefix">On 09/15/2015 01:37 PM, Jakub Hrozek wrote:</div> <blockquote cite="mid:20150915113748.GL2884@hendrix" type="cite"> <div>On Tue, Sep 15, 2015 at 01:58:07PM +0300, Alexander Bokovoy wrote:</div> <blockquote type="cite"> <div>On Tue, 15 Sep 2015, Molnár Domokos wrote:</div> <blockquote type="cite"> <blockquote type="cite"> <div>#hostnamectl set-hostname nappali.silva on modern systems.</div> <blockquote type="cite"> <div>doma@nappali:/home/doma> hostname --fqdn nappali.szilva</div> </blockquote> </blockquote> <div>doma@nappali:/home/doma> su Password: nappali:/home/doma # hostnamectl set-hostname nappali.szilva nappali:/home/doma # hostname nappali.szilva nappali:/home/doma # hostname --fqdn nappali.szilvanappali:/home/doma # su doma sh-4.2$ sudo ls doma's password: 20140921.ZIP Oracle_VM_VirtualBox_Extension_Pack-4.3.26-98988.vbox-extpack 42646515_eb8d7dcabe416247463f1bc8652adced.pdf Now it works, the rule is matched.I'm not sure this is the intended way especially seeing the fqdn mechanism in the sudo code but I'll just keep it that way.Thank you.</div> </blockquote> <div>sudo doesn't do normalization and IPA's way of exposing host names is by using by default fqdn. So sudo compares local hostname with fqdn-based one, guess which way it will succeed? You theoretically could have every hostname in IPA registered non-fqdn but what you cannot have is a mix between fqdn- and non-fqdn names.</div> </blockquote> <div>You can have registered a different hostname with IPA than what hostname(1) reports, we have an ipa_hostname parameter for that. But there's no way for sudo to learn about it..</div> </blockquote> You may well be right but I still think this is a bug in sudo/sssd plugin. Here's why I think so:<br /> <br /> @line 582 in sssd.c when calling hostname_matches it is a clear intention of the code that the hostname matching is done both against the fqdn and the naked hostname.<br /> <br /> @lines 773-790 the implementation of hostname_matches(..) is done correctly. It guesses intelligently and chooses to match either against the fqdn or the naked hostname based on the format of the hostname provided by IPA. If there is a '.' in the IPA provided hostname name then the hostname compared to the fqdn otherwise it is compared to the bare hostname.<br /> <br /> @line 805 in sudoers.c in set_fqdn the fqdn is correctly retrieved for the host during initialization - so sudo is indeed aware of both host name versions. I tested this part it it works OK.<br /> <br /> The bug - I think - is that the information correctly retrieved during init through set_fqdn in sudoers.c somehow does not make its way to line 582 in sssd.c. There both user_shost and user_host seem to contain the naked hostname unless the bare hostaname contains the fqdn itself.<br /> <br /> I do not have enough time to find out why this happens but the above evidence suggests that there is a bug somewhere in the process.<br /> </div>