Bug 2121523
| Summary: | SudoHost entry does not work via SSSD provider | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | nbubakov | |
| Component: | sudo | Assignee: | Radovan Sroka <rsroka> | |
| Status: | CLOSED MIGRATED | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 9.0 | CC: | dapospis | |
| Target Milestone: | rc | Keywords: | MigratedToJIRA, Triaged | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2121524 (view as bug list) | Environment: | ||
| Last Closed: | 2023-08-16 08:56:09 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
This bug is going to be migrated. Contact point for migration questions or issues: rsroka Guidance for Bugzilla users to test their Jira account or create one if needed: https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016394 https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016694 https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016774 |
Description of problem: Sudo rule option sudoHost does not work with IPV6, IPV6 with mask or IPV4 with mask via SSSD provider. But it works via LDAP. Version-Release number of selected component (if applicable): tested and failed on all RHEL8 and RHEL9 How reproducible: Everytime Steps to Reproduce: 1. setup sudo to use sssd, using this ldap data: # my-domain.com dn: dc=my-domain,dc=com objectClass: dcObject objectClass: organization dc: my-domain o: Test server # Groups, my-domain.com dn: ou=Groups,dc=my-domain,dc=com objectClass: top objectClass: organizationalunit ou: Groups # People, my-domain.com dn: ou=People,dc=my-domain,dc=com objectClass: top objectClass: organizationalunit ou: People # admin, People, my-domain.com dn: cn=admin,ou=People,dc=my-domain,dc=com objectClass: top objectClass: account objectClass: posixAccount cn: admin uidNumber: 11001 gidNumber: 21001 homeDirectory: /home/admin loginShell: /bin/bash uid: admin userPassword:: eA== # admin, Groups, my-domain.com dn: cn=admin,ou=Groups,dc=my-domain,dc=com gidNumber: 21001 objectClass: top objectClass: posixGroup cn: 21001 cn: admin # userallowed, People, my-domain.com dn: cn=userallowed,ou=People,dc=my-domain,dc=com objectClass: top objectClass: account objectClass: posixAccount cn: userallowed uidNumber: 10001 gidNumber: 20001 homeDirectory: /home/userallowed loginShell: /bin/bash uid: userallowed userPassword:: eA== # groupallowed, Groups, my-domain.com dn: cn=groupallowed,ou=Groups,dc=my-domain,dc=com gidNumber: 20001 objectClass: top objectClass: posixGroup cn: groupallowed # usernotallowed, People, my-domain.com dn: cn=usernotallowed,ou=People,dc=my-domain,dc=com objectClass: top objectClass: account objectClass: posixAccount cn: usernotallowed uidNumber: 10002 gidNumber: 20002 homeDirectory: /home/usernotallowed loginShell: /bin/bash uid: usernotallowed userPassword:: eA== # groupnotallowed, Groups, my-domain.com dn: cn=groupnotallowed,ou=Groups,dc=my-domain,dc=com gidNumber: 20002 objectClass: top objectClass: posixGroup cn: groupnotallowed # Sudoers, my-domain.com dn: ou=Sudoers,dc=my-domain,dc=com objectClass: top objectClass: organizationalUnit ou: Sudoers # defaults, Sudoers, my-domain.com dn: cn=defaults,ou=Sudoers,dc=my-domain,dc=com objectClass: top objectClass: sudoRole cn: defaults sudoOption: !authenticate sudoOption: !requiretty 2. add one of the following rules to the ldap data: a) in order to test sudoHost with IPV6, add this rule: # rule_allow, Sudoers, my-domain.com dn: cn=rule_allow,ou=Sudoers,dc=my-domain,dc=com objectClass: top objectClass: sudoRole cn: rule_allow sudoCommand: ALL sudoUser: ALL sudoHost: FD6D:8D64:AF0C:0000:0000:0000:0000:0008 b) in order to test sudoHost with IPV6 with mask, add this rule: # rule_allow, Sudoers, my-domain.com dn: cn=rule_allow,ou=Sudoers,dc=my-domain,dc=com objectClass: top objectClass: sudoRole cn: rule_allow sudoCommand: ALL sudoUser: ALL sudoHost: FD6D:8D64:AF0C::/72 c) in order to test sudoHost with IPV4 with mask, add this rule: # rule_allow, Sudoers, my-domain.com dn: cn=rule_allow,ou=Sudoers,dc=my-domain,dc=com objectClass: top objectClass: sudoRole cn: rule_allow sudoCommand: ALL sudoUser: ALL sudoHost: 192.168.10.0/26 3. check it with following command: $ su - userallowed -c 'sudo true' Actual results: Gets generic error - exit status 1 Expected results: userallowed is allowed to run sudo on this host - exit status 0 Additional info: