Bug 1144419

Summary: sudo with ldap/sssd doesn't respect env_keep,env_check and env_delete variables in sudoOption
Product: Red Hat Enterprise Linux 7 Reporter: David Spurek <dspurek>
Component: sudoAssignee: Daniel Kopeček <dkopecek>
Status: CLOSED ERRATA QA Contact: Dalibor Pospíšil <dapospis>
Severity: high Docs Contact:
Priority: high    
Version: 7.0CC: dapospis, dkopecek, pkis, pvrabec
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sudo-1.8.6p7-14.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1144422 (view as bug list) Environment:
Last Closed: 2015-11-19 12:58:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1144422, 1205796    
Attachments:
Description Flags
proposed patch none

Description David Spurek 2014-09-19 10:54:02 UTC 
Description of problem:
sudo with ldap/sssd doesn't respect env_keep,env_check and env_delete variables in sudoOption

#### env_check ####
I have following sudoers entries in ldap:

dn: cn=defaults,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
sudoOption: !authenticate
sudoOption: !requiretty
sudoOption: env_file=/tmp/envfile
sudoOption: env_check="TESTVAR CHECKVAR"
cn: defaults

dn: cn=rule1,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: rule1
sudoHost: ALL
sudoUser: userallowed
sudoCommand: ALL

[test]su - userallowed -c 'sudo env'
su: warning: cannot change directory to /home/userallowed: No such file or directory
HOSTNAME=rhel7.example.com
PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin
SHELL=/bin/bash
MAIL=/var/mail/root
LOGNAME=root
USER=root
USERNAME=root
HOME=/root
TERM=unknown
SUDO_COMMAND=/bin/env
SUDO_USER=userallowed
SUDO_UID=10001
SUDO_GID=20001
TESTVAR=%spec
CHECKVAR=/path

TESTVAR and CHECKVAR variables shouldn't be in the list


#### env_delete ####
I have following sudoers entries in ldap:

dn: cn=defaults,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
sudoOption: !authenticate
sudoOption: !requiretty
sudoOption: !env_reset
sudoOption: env_file=/tmp/envfile
sudoOption: env_delete="TESTVAR CHECKVAR"
cn: defaults

dn: cn=rule1,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: rule1
sudoHost: ALL
sudoUser: userallowed
sudoCommand: ALL


[test]su - userallowed -c 'sudo env'su: warning: cannot change directory to /home/userallowed: No such file or directory
XDG_SESSION_ID=321
HOSTNAME=rhel7.example.com
SHELL=/bin/bash
TERM=xterm-256color
HISTSIZE=1000
USER=root
MAIL=/var/spool/mail/userallowed
PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin
PWD=/tmp/tmp.5Mn1pNEi1O
LANG=en_US.UTF-8
HISTCONTROL=ignoredups
SHLVL=1
HOME=/home/userallowed
LOGNAME=root
LESSOPEN=||/usr/bin/lesspipe.sh %s
_=/bin/sudo
USERNAME=root
SUDO_COMMAND=/bin/env
SUDO_USER=userallowed
SUDO_UID=10001
SUDO_GID=20001
TESTVAR=spec
CHECKVAR=path
NEXTVAR=var

TESTVAR and CHECKVAR variables shouldn't be in the list

#### env_keep ####
I have following sudoers entries in ldap:

dn: cn=defaults,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
sudoOption: !authenticate
sudoOption: !requiretty
sudoOption: env_reset
sudoOption: env_file=/tmp/envfile
sudoOption: env_keep="TESTVAR CHECKVAR"
cn: defaults

dn: cn=rule1,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: rule1
sudoHost: ALL
sudoUser: userallowed
sudoCommand: ALL

[test]su - userallowed -c 'sudo env'
su: warning: cannot change directory to /home/userallowed: No such file or directory
TERM=xterm-256color
LANG=en_US.UTF-8
SHELL=/bin/bash
MAIL=/var/mail/root
LOGNAME=root
USER=root
USERNAME=root
HOME=/root
PATH=/usr/bin:/bin:/usr/sbin:/sbin
SUDO_COMMAND=/bin/env
SUDO_USER=userallowed
SUDO_UID=10001
SUDO_GID=20001
TESTVAR=spec
CHECKVAR=path
NEXTVAR=var


NEXTVAR variable shouldn't be in the list

Version-Release number of selected component (if applicable):
sudo-1.8.6p7-11.el7

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Daniel Kopeček 2015-07-07 12:36:11 UTC 
Created attachment 1049275 [details]
proposed patch
Comment 16 errata-xmlrpc 2015-11-19 12:58:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2424.html