Bug 965124
| Summary: | sudo doesn't work with users in ldap | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | David Spurek <dspurek> |
| Component: | sudo | Assignee: | Daniel Kopeček <dkopecek> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | David Spurek <dspurek> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.0 | CC: | dspurek, ebenes |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | sudo-1.8.6p7-3.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-06-13 10:32:44 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
David Spurek
2013-05-20 13:21:26 UTC
I've tried it manually and it looks it works fine. Could you re-run the test please? If it won't work, then there might be something wrong with the test.
-bash-4.2$ sudo -l
[sudo] password for ldapuser20002:
Matching Defaults entries for ldapuser20002 on this host:
requiretty, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC
KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LOGNAME LANG
LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION
LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS
_XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User ldapuser20002 may run the following commands on this host:
(ALL) /bin/true
-bash-4.2$ sudo -u ldapuser20001 true
-bash-4.2$ echo $?
0
-bash-4.2$ sudo true
-bash-4.2$ echo $?
0
It looks fixed, test passes now: sudo-1.8.6p7-4.el7 nss-pam-ldapd-0.8.12-4.el7 sssd-1.10.1-1.el7.x86_64 Output with sudo-1.8.6p7-4.el7: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Test with ldap :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'service nslcd start && sleep 2' :: [ PASS ] :: Running 'ldapsearch -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -LLL -b "ou=Sudoers,dc=example,dc=com" '*'' :: [ PASS ] :: Running 'getent passwd user1' :: [ PASS ] :: Running 'getent passwd user2' :: [ PASS ] :: Running 'getent group group_user1' :: [ PASS ] :: Running 'getent netgroup netgroup_user1' :: [ PASS ] :: Running 'getent group group_user2' :: [ PASS ] :: Running 'getent netgroup netgroup_user2' :: [ PASS ] :: Running 'ldapadd -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_add.ldif' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:user2 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:user1 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:#10002 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:#10001 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:%group_user2 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:%group_user1 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:+netgroup_user2 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:+netgroup_user1 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod.ldif' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsGroup:group_user2 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -g group_user2 groups'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsGroup:group_user1 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -g group_user2 groups'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsGroup:#20002 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -g group_user2 groups'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsGroup:#20001 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -g group_user2 groups'' :: [ PASS ] :: Running 'service nslcd stop && sleep 2' :: [ LOG ] :: Duration: 15s :: [ LOG ] :: Assertions: 35 good, 0 bad :: [ PASS ] :: RESULT: Test with ldap :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Test with sssd :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Running 'nsswitch_conf_sssd' :: [ PASS ] :: Running 'ldapsearch -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -LLL -b "ou=Sudoers,dc=example,dc=com" '*'' :: [ PASS ] :: Running 'service sssd start && sleep 3' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:user2 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:user1 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:#10002 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:#10001 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:%group_user2 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:%group_user1 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:+netgroup_user2 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsUser:+netgroup_user1 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -u user2 true'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod.ldif' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsGroup:group_user2 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -g group_user2 groups'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsGroup:group_user1 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -g group_user2 groups'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsGroup:#20002 should be ALLOWED :: [ PASS ] :: Running 'su user1 -c 'sudo -g group_user2 groups'' :: [ PASS ] :: Running 'ldapmodify -x -H ldap://example.com -D 'cn=Manager,dc=example,dc=com' -w x -f rule_mod2.ldif' :: [ LOG ] :: sudoRunAsGroup:#20001 should be DENIED :: [ PASS ] :: Running 'su user1 -c 'sudo -g group_user2 groups'' :: [ PASS ] :: Running 'service sssd stop' :: [ LOG ] :: Duration: 47s :: [ LOG ] :: Assertions: 29 good, 0 bad :: [ PASS ] :: RESULT: Test with sssd output with sudo.x86_64 0:1.8.6p7-2 is in initial bug report. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |