Bug 1671138
| Summary: | User is unable to perform sudo as a user on IPA Server, even though `sudo -l` shows permissions to do so | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Josip Vilicic <jvilicic> |
| Component: | sssd | Assignee: | Pavel Březina <pbrezina> |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.4 | CC: | frenaud, grajaiya, jhrozek, jvilicic, ksiddiqu, lslebodn, mzidek, patrickcprovenzo, pbrezina, pvoborni, rcritten, sgoveas, sorlov, takirby, tscherf |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.16.4-6.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-06 13:02:47 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Comment 4
Jakub Hrozek
2019-01-31 08:46:19 UTC
Thank you for the date. I can reproduce this issue. Upstream ticket: https://pagure.io/SSSD/sssd/issue/3957 Upstream ticket: https://pagure.io/SSSD/sssd/issue/3957 * master: * 0aa6571 * d411feb * sssd-1-16: * 3a18e33 * 5ad7f5e Fix verified with nightly build of RHEL 7.7 # rpm -q sssd-common sssd-common-1.16.4-19.el7.x86_64 Verified using steps in upstream ticket https://pagure.io/SSSD/sssd/issue/3957: * define domain resolution order: ipa config-mod --domain-resolution-order testrelm.test * create test users: ipa user-add user1 --first a --last b ipa user-add user2 --first a --last b * create sudo rule: ipa sudorule-add testrule --hostcat=all --cmdcat=all --usercat=all ipa sudorule-add-runasuser testrule --users testuser2 * clear sssd cache: rm -rf /var/lib/sss/{db,mc}/* systemctl restart sssd * check allowed commands list for testuser1: # su testuser1 -c 'sudo -l' Matching Defaults entries for testuser1 on client1: !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !authenticate User testuser1 may run the following commands on client1: (testuser2) ALL * execute command by testuser1 as testuser2: # su testuser1 -c "sudo -u testuser2 echo OK" OK Also checked that with sssd version 1.16.4-5.el7 last step expectedly fails with message "Sorry, user testuser1 is not allowed to execute '/bin/echo OK' as testuser2 on client1.testrelm.test." Automated test added in freeipa upstream workspace: ipatests/test_integration/test_sudo.py::test_domain_resolution_order Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2177 |