| Summary: | sudo -U <user> listing shows incorrect list when sssd is used. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Najmuddin Chirammal <nc> | ||||
| Component: | sudo | Assignee: | Daniel Kopeček <dkopecek> | ||||
| Status: | CLOSED ERRATA | QA Contact: | David Spurek <dspurek> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 6.4 | CC: | dspurek, ebenes, jhrozek, pbrezina, pvrabec, yjog | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | sudo-1.8.6p3-13.el6 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1147557 (view as bug list) | Environment: | |||||
| Last Closed: | 2014-10-14 06:45:55 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1147557 | ||||||
| Attachments: |
|
||||||
Created attachment 897919 [details]
proposed patch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1484.html |
Description of problem: As root, if I try to list the rules allowed for a user, then it returns incorrect/incomplete list. Running sudo -l as normal user returns correct results. For example: As root: # sudo -l -U luser1 User luser1 may run the following commands on this host: (ALL) /bin/fdisk As normal user: $ sudo -l User luser1 may run the following commands on this host: (ALL) /bin/fdisk (ALL) /usr/bin/passwd Version-Release number of selected component : sudo-1.8.6p3-8.el6.x86_64.rpm How reproducible: Always Steps to Reproduce: 1. Configure nsswitch to use sudo rules from SSSD. 2. Try to list the rules allowed using a netgroup membership. 3. Actual results: 'sudo -U -l' try to match the netgroup entry with 'root' username instead of the actual user, and the rules allowed via netgroup are missing. Expected results: 'sudo -U -l' lists all rules. Additional info: - The rules are listed properly if 'ldap' is used instead of 'sss' Sudo Debug logs: As root: Sep 10 21:32:43 sudo[30288] -> netgr_matches @ ./match.c:720 Sep 10 21:32:43 sudo[30288] <- netgr_matches @ ./match.c:724 := false Sep 10 21:32:43 sudo[30288] -> netgr_matches @ ./match.c:720 Sep 10 21:32:43 sudo[30288] (*, root, (none)) NOT found in netgroup ng1 <====== Sep 10 21:32:43 sudo[30288] (*, root, (none)) NOT found in netgroup ng1 Sep 10 21:32:43 sudo[30288] <- netgr_matches @ ./match.c:772 := false Sep 10 21:32:43 sudo[30288] -> netgr_matches @ ./match.c:720 Sep 10 21:32:43 sudo[30288] (*, root, (none)) NOT found in netgroup admin Sep 10 21:32:43 sudo[30288] (*, root, (none)) NOT found in netgroup admin Sep 10 21:32:43 sudo[30288] <- netgr_matches @ ./match.c:772 := false As luser1 : Sep 10 21:32:48 sudo[30295] -> netgr_matches @ ./match.c:720 Sep 10 21:32:48 sudo[30295] <- netgr_matches @ ./match.c:724 := false Sep 10 21:32:48 sudo[30295] -> netgr_matches @ ./match.c:720 Sep 10 21:32:48 sudo[30295] (*, luser1, (none)) found in netgroup ng1 <====== Sep 10 21:32:48 sudo[30295] <- netgr_matches @ ./match.c:772 := true Sep 10 21:32:48 sudo[30295] -> netgr_matches @ ./match.c:720 Sep 10 21:32:48 sudo[30295] (*, luser1, (none)) NOT found in netgroup admin Sep 10 21:32:48 sudo[30295] (*, luser1, (none)) NOT found in netgroup admin Sep 10 21:32:48 sudo[30295] <- netgr_matches @ ./match.c:772 := false Sep 10 21:32:48 sudo[30295] -> netgr_matches @ ./match.c:720 Sep 10 21:32:48 sudo[30295] <- netgr_matches @ ./match.c:724 := false Sep 10 21:32:48 sudo[30295] -> netgr_matches @ ./match.c:720 Sep 10 21:32:48 sudo[30295] (*, luser1, (none)) found in netgroup ng1 Sep 10 21:32:48 sudo[30295] <- netgr_matches @ ./match.c:772 := true Sep 10 21:32:48 sudo[30295] -> netgr_matches @ ./match.c:720 Sep 10 21:32:48 sudo[30295] (*, luser1, (none)) NOT found in netgroup admin Sep 10 21:32:48 sudo[30295] (*, luser1, (none)) NOT found in netgroup admin Sep 10 21:32:48 sudo[30295] <- netgr_matches @ ./match.c:772 := false ------------------------------ With 'ldap' (working) As root: Sep 10 21:44:32 sudo[30330] -> netgr_matches @ ./match.c:720 Sep 10 21:44:32 sudo[30330] (*, root, (none)) NOT found in netgroup ng1 Sep 10 21:44:32 sudo[30330] (*, root, (none)) NOT found in netgroup ng1 Sep 10 21:44:32 sudo[30330] <- netgr_matches @ ./match.c:772 := false Sep 10 21:44:32 sudo[30330] -> netgr_matches @ ./match.c:720 Sep 10 21:44:32 sudo[30330] (*, root, (none)) NOT found in netgroup admin Sep 10 21:44:32 sudo[30330] (*, root, (none)) NOT found in netgroup admin Sep 10 21:44:32 sudo[30330] <- netgr_matches @ ./match.c:772 := false Sep 10 21:44:32 sudo[30330] -> netgr_matches @ ./match.c:720 Sep 10 21:44:32 sudo[30330] (*, luser1, (none)) found in netgroup ng1 Sep 10 21:44:32 sudo[30330] <- netgr_matches @ ./match.c:772 := true Sep 10 21:44:32 sudo[30330] -> netgr_matches @ ./match.c:720 Sep 10 21:44:32 sudo[30330] (*, luser1, (none)) NOT found in netgroup admin Sep 10 21:44:32 sudo[30330] (*, luser1, (none)) NOT found in netgroup admin Sep 10 21:44:32 sudo[30330] <- netgr_matches @ ./match.c:772 := false