[gentoo-user] sudo -l strange behavour when used via LDAP - gentoo-user

From:	Giampiero Gabbiani <Giampiero@××××××××.org>
To:	gentoo-user@l.g.o
Subject:	[gentoo-user] sudo -l strange behavour when used via LDAP
Date:	Sun, 22 Aug 2010 20:26:06
Message-Id:	`201008222226.03967.Giampiero@gabbiani.org`

1

Hi all,

2

I configured sudo in order to use LDAP and set the corrisponding defaults on 

3

the DIT set to ignore_local_sudoers.

4

After populating the DIT with the rules, sudo works perfectly but I have a 

5

problem with the list options of sudo (-l).

6

7

It seems like sudo -l for NORMAL users (i.e. not root) doesn't print the 

8

corresponding matched rule when this comes from LDAP. More exactly it matches 

9

the rule (and actually the user can perform the commands he is enabled to do) 

10

BUT they are not shown with the list option.

11

12

After setting the sudoers_debug to 2 in /etc/ldap.sonf.sudo I obtain the 

13

following:

14

15

giampa@athena ~ $ sudo -l

16

LDAP Config Summary

17

===================

18

host             vesta.homenet.telecomitalia.it

19

port             -1

20

ldap_version     3

21

sudoers_base     ou=sudoers,dc=gabbiani,dc=org

22

binddn           (anonymous)

23

bindpw           (anonymous)

24

ssl              (no)

25

===================

26

sudo: ldap_create()

27

sudo: ldap_set_option(LDAP_OPT_HOST_NAME, vesta.homenet.telecomitalia.it)

28

sudo: ldap_set_option: debug -> 0

29

sudo: ldap_set_option: ldap_version -> 3

30

sudo: ldap_sasl_bind_s() ok

31

sudo: found:cn=defaults,ou=SUDOers,dc=gabbiani,dc=org

32

sudo: ldap sudoOption: 'ignore_local_sudoers'

33

sudo: ldap sudoHost 'ALL' ... MATCH!

34

sudo: ldap sudoOption: '!authenticate'

35

sudo: user_matches=1

36

sudo: host_matches=1

37

sudo: sudo_ldap_lookup(52)=0x02

38

Runas and Command-specific defaults for giampa:

39

40

41

sudo: ldap search '(|(sudoUser=giampa)(sudoUser=%giampa)(sudoUser=%wheel)

42

(sudoUser=%floppy)(sudoUser=%audio)(sudoUser=%cdrom)(sudoUser=%video)

43

(sudoUser=%usb)(sudoUser=%portage)(sudoUser=%plugdev)(sudoUser=%netusers)

44

(sudoUser=%cvsadmin)(sudoUser=ALL))'

45

sudo: ldap sudoHost 'ALL' ... MATCH!

46

sudo: ldap search 'sudoUser=+*'

47

48

The root user instead correctly prints the list informations:

49

50

athena ~ # sudo -l

51

LDAP Config Summary

52

===================

53

host             vesta.homenet.telecomitalia.it

54

port             -1

55

ldap_version     3

56

sudoers_base     ou=sudoers,dc=gabbiani,dc=org

57

binddn           (anonymous)

58

bindpw           (anonymous)

59

ssl              (no)

60

===================

61

sudo: ldap_create()

62

sudo: ldap_set_option(LDAP_OPT_HOST_NAME, vesta.homenet.telecomitalia.it)

63

sudo: ldap_set_option: debug -> 0

64

sudo: ldap_set_option: ldap_version -> 3

65

sudo: ldap_sasl_bind_s() ok

66

sudo: found:cn=defaults,ou=SUDOers,dc=gabbiani,dc=org

67

sudo: ldap sudoOption: 'ignore_local_sudoers'

68

sudo: ldap sudoHost 'ALL' ... MATCH!

69

sudo: user_matches=1

70

sudo: host_matches=1

71

sudo: sudo_ldap_lookup(52)=0x02

72

Runas and Command-specific defaults for root:

73

74

75

sudo: ldap search '(|(sudoUser=root)(sudoUser=%root)(sudoUser=%bin)

76

(sudoUser=%daemon)(sudoUser=%sys)(sudoUser=%adm)(sudoUser=%disk)

77

(sudoUser=%wheel)(sudoUser=%floppy)(sudoUser=%dialout)(sudoUser=%tape)

78

(sudoUser=%video)(sudoUser=ALL))'

79

sudo: ldap sudoHost 'ALL' ... MATCH!

80

sudo: ldap sudoHost 'ALL' ... MATCH!

81

sudo: ldap search 'sudoUser=+*'

82

User root may run the following commands on this host:

83

    (ALL) ALL

84

    (ALL) NOPASSWD: ALL

85

86

The expected behavour for NORMAL user is instead (this comes from another 

87

machines running mandriva 2010.1):

88

89

giampa@vesta ~ $ sudo -l

90

Runas and Command-specific defaults for giampa:

91

    ignore_local_sudoers

92

93

User giampa may run the following commands on this host:

94

    (ALL) NOPASSWD: ALL

95

96

Is it a bug ? Is there anyone that experimented the same? Is there anything 

97

that I to set in gentoo in order to let a normal user to display correctly the 

98

sudoers commands when coming from ldap?

99

100

Many thanks in advance

101

Giampiero

1	Hi all,
2	I configured sudo in order to use LDAP and set the corrisponding defaults on
3	the DIT set to ignore_local_sudoers.
4	After populating the DIT with the rules, sudo works perfectly but I have a
5	problem with the list options of sudo (-l).
6
7	It seems like sudo -l for NORMAL users (i.e. not root) doesn't print the
8	corresponding matched rule when this comes from LDAP. More exactly it matches
9	the rule (and actually the user can perform the commands he is enabled to do)
10	BUT they are not shown with the list option.
11
12	After setting the sudoers_debug to 2 in /etc/ldap.sonf.sudo I obtain the
13	following:
14
15	giampa@athena ~ $ sudo -l
16	LDAP Config Summary
17	===================
18	host vesta.homenet.telecomitalia.it
19	port -1
20	ldap_version 3
21	sudoers_base ou=sudoers,dc=gabbiani,dc=org
22	binddn (anonymous)
23	bindpw (anonymous)
24	ssl (no)
25	===================
26	sudo: ldap_create()
27	sudo: ldap_set_option(LDAP_OPT_HOST_NAME, vesta.homenet.telecomitalia.it)
28	sudo: ldap_set_option: debug -> 0
29	sudo: ldap_set_option: ldap_version -> 3
30	sudo: ldap_sasl_bind_s() ok
31	sudo: found:cn=defaults,ou=SUDOers,dc=gabbiani,dc=org
32	sudo: ldap sudoOption: 'ignore_local_sudoers'
33	sudo: ldap sudoHost 'ALL' ... MATCH!
34	sudo: ldap sudoOption: '!authenticate'
35	sudo: user_matches=1
36	sudo: host_matches=1
37	sudo: sudo_ldap_lookup(52)=0x02
38	Runas and Command-specific defaults for giampa:
39
40
41	sudo: ldap search '(\|(sudoUser=giampa)(sudoUser=%giampa)(sudoUser=%wheel)
42	(sudoUser=%floppy)(sudoUser=%audio)(sudoUser=%cdrom)(sudoUser=%video)
43	(sudoUser=%usb)(sudoUser=%portage)(sudoUser=%plugdev)(sudoUser=%netusers)
44	(sudoUser=%cvsadmin)(sudoUser=ALL))'
45	sudo: ldap sudoHost 'ALL' ... MATCH!
46	sudo: ldap search 'sudoUser=+*'
47
48	The root user instead correctly prints the list informations:
49
50	athena ~ # sudo -l
51	LDAP Config Summary
52	===================
53	host vesta.homenet.telecomitalia.it
54	port -1
55	ldap_version 3
56	sudoers_base ou=sudoers,dc=gabbiani,dc=org
57	binddn (anonymous)
58	bindpw (anonymous)
59	ssl (no)
60	===================
61	sudo: ldap_create()
62	sudo: ldap_set_option(LDAP_OPT_HOST_NAME, vesta.homenet.telecomitalia.it)
63	sudo: ldap_set_option: debug -> 0
64	sudo: ldap_set_option: ldap_version -> 3
65	sudo: ldap_sasl_bind_s() ok
66	sudo: found:cn=defaults,ou=SUDOers,dc=gabbiani,dc=org
67	sudo: ldap sudoOption: 'ignore_local_sudoers'
68	sudo: ldap sudoHost 'ALL' ... MATCH!
69	sudo: user_matches=1
70	sudo: host_matches=1
71	sudo: sudo_ldap_lookup(52)=0x02
72	Runas and Command-specific defaults for root:
73
74
75	sudo: ldap search '(\|(sudoUser=root)(sudoUser=%root)(sudoUser=%bin)
76	(sudoUser=%daemon)(sudoUser=%sys)(sudoUser=%adm)(sudoUser=%disk)
77	(sudoUser=%wheel)(sudoUser=%floppy)(sudoUser=%dialout)(sudoUser=%tape)
78	(sudoUser=%video)(sudoUser=ALL))'
79	sudo: ldap sudoHost 'ALL' ... MATCH!
80	sudo: ldap sudoHost 'ALL' ... MATCH!
81	sudo: ldap search 'sudoUser=+*'
82	User root may run the following commands on this host:
83	(ALL) ALL
84	(ALL) NOPASSWD: ALL
85
86	The expected behavour for NORMAL user is instead (this comes from another
87	machines running mandriva 2010.1):
88
89	giampa@vesta ~ $ sudo -l
90	Runas and Command-specific defaults for giampa:
91	ignore_local_sudoers
92
93	User giampa may run the following commands on this host:
94	(ALL) NOPASSWD: ALL
95
96	Is it a bug ? Is there anyone that experimented the same? Is there anything
97	that I to set in gentoo in order to let a normal user to display correctly the
98	sudoers commands when coming from ldap?
99
100	Many thanks in advance
101	Giampiero

Gentoo Archives: gentoo-user