Bug 1348672
Summary: | sudo disallowed when a FreeIPA rule should allow it by host group, since 1.8.16 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> |
Component: | sudo | Assignee: | Daniel Kopeček <dkopecek> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 24 | CC: | dkopecek, kzak, lslebodn, pbrezina, rsroka |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | All | ||
Whiteboard: | |||
Fixed In Version: | sudo-1.8.17p1-1.fc24 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-06-26 20:54:10 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Adam Williamson
2016-06-21 17:43:21 UTC
It seems like sudo 1.8.17 fixes this. I did a test build of it and sudo works again. Log looks like this: Jun 21 11:10:38 sudo[3834] val[0]=+adam-machines Jun 21 11:10:38 sudo[3834] -> addr_matches @ ./match_addr.c:195 Jun 21 11:10:38 sudo[3834] -> addr_matches_if @ ./match_addr.c:56 Jun 21 11:10:38 sudo[3834] <- addr_matches_if @ ./match_addr.c:66 := false Jun 21 11:10:38 sudo[3834] IP address +adam-machines matches local host: false @ addr_matches() ./match_addr.c:206 Jun 21 11:10:38 sudo[3834] <- addr_matches @ ./match_addr.c:207 := false Jun 21 11:10:38 sudo[3834] -> netgr_matches @ ./match.c:1039 Jun 21 11:10:38 sudo[3834] -> sudo_getdomainname @ ./match.c:977 Jun 21 11:10:38 sudo[3834] <- sudo_getdomainname @ ./match.c:1016 := (null) Jun 21 11:10:38 sudo[3834] netgroup adam-machines matches (xps13.happyassassin.net|xps13, , ): true @ netgr_matches() ./match.c:1065 Jun 21 11:10:38 sudo[3834] <- netgr_matches @ ./match.c:1068 := true so it's gone back to checking just the hostname (the user no longer appears in the triplet). I do see some relevant-looking changes in plugins/sudoers/sssd.c and plugins/sudoers/match.c upstream, so it makes sense. Aha. The specific upstream fix is this commit: https://github.com/millert/sudo/commit/ccf88d3bb22fbb9804fd66bd4fb4ab6c168b10f4 before that commit, sudo_sss_check_host was unconditionally throwing the username into the netgr_matches call (which is incorrect); after the commit, it only includes it if netgroup_tuple is enabled (which by default it is not). The netgroup_tuple thing was the feature added to address bug #717 in 1.8.16 . It looks like in the initial commit to add that feature: https://github.com/millert/sudo/commit/5a77989a33ee8f27349aec831603fcd55cce159c most calls to netgr_matches were changed to use a ternary to specify username if def_netgroup_tuple is true, but the netgr_matches call in sudo_sss_check_host was just changed to specify username unconditionally, and ccf88d3 fixes that. (In reply to Adam Williamson from comment #1) > It seems like sudo 1.8.17 fixes this. I did a test build of it and sudo > works again. Log looks like this: Great, thanks for the triage. I'm preparing an update to 1.8.17. Once I have a patch for #1348533, I'll push the update. Can you please fix F24 as well? It has 1.8.16 as well. sudo-1.8.17p1-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-c102e92ca1 sudo-1.8.17p1-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c102e92ca1 sudo-1.8.17p1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |