Bug 1142122
Summary: | sudo option mail_no_user doesn't work | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | David Spurek <dspurek> | ||||||
Component: | sudo | Assignee: | Daniel Kopeček <dkopecek> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Dalibor Pospíšil <dapospis> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 6.6 | CC: | dapospis, dkopecek, ebenes, ksrot, pkis, pvrabec, qe-baseos-security, tlavigne | ||||||
Target Milestone: | rc | Keywords: | Reopened | ||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | sudo-1.8.6p3-19.el6 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | 1140980 | ||||||||
: | 1220480 1334360 (view as bug list) | Environment: | |||||||
Last Closed: | 2015-07-22 07:36:06 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 1140980 | ||||||||
Bug Blocks: | 1334360 | ||||||||
Attachments: |
|
Description
David Spurek
2014-09-16 08:11:54 UTC
Works for me. $ postqueue -p shows a queued mail for the configured address. Are you sure that it works? It doesn't work for me. [test]postqueue -p | wc -l 90 [test]su - usernotallowed -c 'sudo true' su: warning: cannot change directory to /home/usernotallowed: No such file or directory usernotallowed is not allowed to run sudo on rhel6-6. This incident will be reported. [test]postqueue -p | wc -l 90 Is it ldap specific? Have you tried to set the option locally? Debug logs would be also nice to have... It looks ldap specific. I don't see this problem with local sudoers. [root@rhel6-6 ldap-sudoers-sanity]# postqueue -p | wc -l 98 [root@rhel6-6 ldap-sudoers-sanity]# su - localuser -c 'sudo true' localuser is not in the sudoers file. This incident will be reported. [root@rhel6-6 ldap-sudoers-sanity]# postqueue -p | wc -l 101 [root@rhel6-6 ldap-sudoers-sanity]# cat /etc/sudoers | grep '^Defaults' Defaults mail_no_user Defaults mailto=emailto Defaults !authenticate [test]postqueue -p | wc -l 118 [test]su - usernotallowed -c 'sudo true' su: warning: cannot change directory to /home/usernotallowed: No such file or directory LDAP Config Summary =================== uri ldap://my-domain.com/ ldap_version 3 sudoers_base ou=Sudoers,dc=my-domain,dc=com binddn (anonymous) bindpw (anonymous) ssl (no) =================== sudo: ldap_set_option: debug -> 0 sudo: ldap_initialize(ld, ldap://my-domain.com/) sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_sasl_bind_s() ok sudo: Looking for cn=defaults: cn=defaults sudo: found:cn=defaults,ou=Sudoers,dc=my-domain,dc=com sudo: ldap sudoOption: '!requiretty' sudo: ldap sudoOption: '!authenticate' sudo: ldap sudoOption: 'mailto=emailto' sudo: ldap sudoOption: 'mail_no_user' sudo: ldap search '(&(|(sudoUser=usernotallowed)(sudoUser=%groupnotallowed)(sudoUser=%#20002)(sudoUser=ALL))(&(|(!(sudoNotAfter=*))(sudoNotAfter>=20150226141218.0Z))(|(!(sudoNotBefore=*))(sudoNotBefore<=20150226141218.0Z))))' sudo: searching from base 'ou=Sudoers,dc=my-domain,dc=com' sudo: adding search result sudo: result now has 0 entries sudo: ldap search '(&(sudoUser=+*)(&(|(!(sudoNotAfter=*))(sudoNotAfter>=20150226141218.0Z))(|(!(sudoNotBefore=*))(sudoNotBefore<=20150226141218.0Z))))' sudo: searching from base 'ou=Sudoers,dc=my-domain,dc=com' sudo: adding search result sudo: result now has 0 entries sudo: sorting remaining 0 entries sudo: searching LDAP for sudoers entries sudo: done with LDAP searches sudo: user_matches=1 sudo: host_matches=0 sudo: sudo_ldap_lookup(0)=0x40 usernotallowed is not allowed to run sudo on rhel6-6. This incident will be reported. [test]postqueue -p | wc -l 118 Well, there seems to be a bug, just not related to the mail options. The options are set as they should be. ... sudo: adding search result sudo: result now has 0 entries ... sudo: user_matches=1 sudo: host_matches=0 ... the mail_no_user has no effect here, because sudo thinks that there was a user match... I'll review the entry matching code. Created attachment 997109 [details]
experimental patch
Created attachment 1022516 [details]
proposed patch
Fixed patch for the LDAP bug. If there's a bug in SSSD too, create a new BZ for it and with debug logs, please.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-1409.html |