Bug 880176

Summary: memberUid required for primary groups to match sudo rule
Product: Red Hat Enterprise Linux 6 Reporter: Nikolai Kondrashov <nikolai.kondrashov>
Component: sssdAssignee: Pavel Březina <pbrezina>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: grajaiya, jgalipea, jhrozek, okos, pbrezina
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.9.2-45.el6 Doc Type: Known Issue
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:41:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 888457    
Attachments:
Description Flags
Base LDIF file
none
sssd.conf none

Description Nikolai Kondrashov 2012-11-26 12:43:05 UTC 
Description of problem:
sudo rules with %group_name or %#group_id sudoUser don't match for primary groups not having user's memberUid.

Version-Release number of selected component (if applicable):
libsss_autofs-1.9.2-21.el6.x86_64
libsss_idmap-1.9.2-21.el6.x86_64
sssd-1.9.2-21.el6.x86_64
sssd-client-1.9.2-21.el6.x86_64
libsss_sudo-1.9.2-21.el6.x86_64
sudo-1.8.6p3-5.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Use attached LDIF file to fill LDAP directory.
2. Use attached sssd.conf as the base for client configuration.
3. Execute Execute "su -c 'sudo -u user2 true' user1 && echo allowed || echo denied" as root.
  
Actual results:
denied

Expected results:
allowed

Additional info:
If the primary group (group_user1) has a memberUid with user name (user1) added, the above works as expected.

This will still not work with sudoUser specified as group ID (i.e. %#20001), even with memberUid added, because of https://fedorahosted.org/sssd/ticket/1667.
Comment 1 Nikolai Kondrashov 2012-11-26 12:44:17 UTC 
This is branched off Bug 872619. Assigning to Pavel accordingly.
Comment 2 Nikolai Kondrashov 2012-11-26 12:45:49 UTC 
Created attachment 651937 [details]
Base LDIF file
Comment 3 Nikolai Kondrashov 2012-11-26 12:46:43 UTC 
Created attachment 651938 [details]
sssd.conf
Comment 5 Jakub Hrozek 2012-11-29 08:10:21 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1677
Comment 7 Nikolai Kondrashov 2012-12-16 13:17:03 UTC 
Verified %group_name works with the following packages:

sssd-1.9.2-45.el6.x86_64
sssd-client-1.9.2-45.el6.x86_64
sudo-1.8.6p3-6.el6.x86_64
libsss_idmap-1.9.2-45.el6.x86_64
libsss_sudo-1.9.2-45.el6.x86_64

Relevant sudo suite output:

:: [   PASS   ] :: attrs_user_group_name_match

However, cannot verify %#group_id, because of Bug 880335.
Comment 8 Jakub Hrozek 2012-12-16 13:22:28 UTC 
(In reply to comment #7)
> However, cannot verify %#group_id, because of Bug 880335.

That bug is not going to get fixed until el7. If that's the only thing that doesn't work, please move to VERIFIED.
Comment 9 Nikolai Kondrashov 2012-12-16 16:05:23 UTC 
Once Bug 880335 is fixed, the sudo suite output relevant to %#group_id verification should change from:

:: [   FAIL   ] :: attrs_user_group_id_match (Expected 0, got 1)

to:

:: [   PASS   ] :: attrs_user_group_id_match
Comment 10 errata-xmlrpc 2013-02-21 09:41:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0508.html