Bug 2121524
| Summary: | SudoHost entry does not work via SSSD provider | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | nbubakov |
| Component: | sudo | Assignee: | Radovan Sroka <rsroka> |
| Status: | CLOSED MIGRATED | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.6 | CC: | dapospis |
| Target Milestone: | rc | Keywords: | MigratedToJIRA, Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 2121523 | Environment: | |
| Last Closed: | 2023-08-01 11:43:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Description of problem: Sudo rule option sudoHost does not work with IPV6, IPV6 with mask or IPV4 with mask via SSSD provider. But it works via LDAP. Version-Release number of selected component (if applicable): tested and failed on all RHEL8 and RHEL9 How reproducible: Everytime Steps to Reproduce: 1. setup sudo to use sssd, using this ldap data: # my-domain.com dn: dc=my-domain,dc=com objectClass: dcObject objectClass: organization dc: my-domain o: Test server # Groups, my-domain.com dn: ou=Groups,dc=my-domain,dc=com objectClass: top objectClass: organizationalunit ou: Groups # People, my-domain.com dn: ou=People,dc=my-domain,dc=com objectClass: top objectClass: organizationalunit ou: People # admin, People, my-domain.com dn: cn=admin,ou=People,dc=my-domain,dc=com objectClass: top objectClass: account objectClass: posixAccount cn: admin uidNumber: 11001 gidNumber: 21001 homeDirectory: /home/admin loginShell: /bin/bash uid: admin userPassword:: eA== # admin, Groups, my-domain.com dn: cn=admin,ou=Groups,dc=my-domain,dc=com gidNumber: 21001 objectClass: top objectClass: posixGroup cn: 21001 cn: admin # userallowed, People, my-domain.com dn: cn=userallowed,ou=People,dc=my-domain,dc=com objectClass: top objectClass: account objectClass: posixAccount cn: userallowed uidNumber: 10001 gidNumber: 20001 homeDirectory: /home/userallowed loginShell: /bin/bash uid: userallowed userPassword:: eA== # groupallowed, Groups, my-domain.com dn: cn=groupallowed,ou=Groups,dc=my-domain,dc=com gidNumber: 20001 objectClass: top objectClass: posixGroup cn: groupallowed # usernotallowed, People, my-domain.com dn: cn=usernotallowed,ou=People,dc=my-domain,dc=com objectClass: top objectClass: account objectClass: posixAccount cn: usernotallowed uidNumber: 10002 gidNumber: 20002 homeDirectory: /home/usernotallowed loginShell: /bin/bash uid: usernotallowed userPassword:: eA== # groupnotallowed, Groups, my-domain.com dn: cn=groupnotallowed,ou=Groups,dc=my-domain,dc=com gidNumber: 20002 objectClass: top objectClass: posixGroup cn: groupnotallowed # Sudoers, my-domain.com dn: ou=Sudoers,dc=my-domain,dc=com objectClass: top objectClass: organizationalUnit ou: Sudoers # defaults, Sudoers, my-domain.com dn: cn=defaults,ou=Sudoers,dc=my-domain,dc=com objectClass: top objectClass: sudoRole cn: defaults sudoOption: !authenticate sudoOption: !requiretty 2. add one of the following rules to the ldap data: a) in order to test sudoHost with IPV6, add this rule: # rule_allow, Sudoers, my-domain.com dn: cn=rule_allow,ou=Sudoers,dc=my-domain,dc=com objectClass: top objectClass: sudoRole cn: rule_allow sudoCommand: ALL sudoUser: ALL sudoHost: FD6D:8D64:AF0C:0000:0000:0000:0000:0008 b) in order to test sudoHost with IPV6 with mask, add this rule: # rule_allow, Sudoers, my-domain.com dn: cn=rule_allow,ou=Sudoers,dc=my-domain,dc=com objectClass: top objectClass: sudoRole cn: rule_allow sudoCommand: ALL sudoUser: ALL sudoHost: FD6D:8D64:AF0C::/72 c) in order to test sudoHost with IPV4 with mask, add this rule: # rule_allow, Sudoers, my-domain.com dn: cn=rule_allow,ou=Sudoers,dc=my-domain,dc=com objectClass: top objectClass: sudoRole cn: rule_allow sudoCommand: ALL sudoUser: ALL sudoHost: 192.168.10.0/26 3. check it with following command: $ su - userallowed -c 'sudo true' Actual results: Gets generic error - exit status 1 Expected results: userallowed is allowed to run sudo on this host - exit status 0 Additional info: