Bug 1652543

Summary: cvtsudoers filters out some user defaults when filtering by a group
Product: Red Hat Enterprise Linux 7 Reporter: Dalibor Pospíšil <dapospis>
Component: sudoAssignee: Radovan Sroka <rsroka>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.6CC: dkopecek, extras-qa, jvymazal, kzak, mattdm, rsroka, tosykora
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1652541
: 1683581 (view as bug list) Environment:
Last Closed: 2019-02-27 09:27:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1683581    

Description Dalibor Pospíšil 2018-11-22 10:44:46 UTC 
+++ This bug was initially created as a clone of Bug #1652541 +++

Description of problem:
When filtering the output by a group, some user bound defaults are removed too even cvtsudoers cannot know in advance that the user used in those default rules is or in not a member of that group. The actual presence of that user in the specified group does not make any change.
Cvtsudoers should preserve all the user bound defaults when filering by a group the same as if fintering by a host.

Version-Release number of selected component (if applicable):
sudo-1.8.23-3.el7

How reproducible:
100%

Steps to Reproduce:
1. cvtsudoers -f sudoers -m group=wheel << 'EOF'
Defaults syslog=auth
Defaults>root !set_logname
Defaults:FULLTIMERS !lecture
Defaults:millert !authenticate
Defaults@SERVERS log_year, logfile=/var/log/sudo.log

Host_Alias CDROM = orion, perseus, hercules
Host_Alias SERVERS = master, mail, www, ns

%wheel ALL = (ALL) ALL
ALL CDROM = NOPASSWD: /sbin/umount /CDROM, /sbin/mount -o nosuid\,nodev /dev/cdrom /CDROM
EOF

Actual results:
Defaults syslog=auth
Defaults>root !set_logname
Defaults@SERVERS log_year, logfile=/var/log/sudo.log

Host_Alias CDROM = orion, perseus, hercules
Host_Alias SERVERS = master, mail, www, ns

%wheel ALL = (ALL) ALL

ALL CDROM = NOPASSWD: /sbin/umount /CDROM, /sbin/mount -o nosuid\,nodev\
    /dev/cdrom /CDROM


Expected results:
Defaults syslog=auth
Defaults>root !set_logname
Defaults:FULLTIMERS !lecture
Defaults:millert !authenticate
Defaults@SERVERS log_year, logfile=/var/log/sudo.log

Host_Alias CDROM = orion, perseus, hercules
Host_Alias SERVERS = master, mail, www, ns

%wheel ALL = (ALL) ALL
ALL CDROM = NOPASSWD: /sbin/umount /CDROM, /sbin/mount -o nosuid\,nodev /dev/cdrom /CDROM
Comment 1 Daniel Kopeček 2019-02-27 09:27:04 UTC 
This Bugzilla has been reviewed by Red Hat and is not planned on being addressed in Red Hat Enterprise Linux 7 and therefore will be closed. If this bug is critical to production systems, please contact your Red Hat support representative and provide sufficient business justification.