Bug 1006463 - sudo -U <user> listing shows incorrect list when sssd is used.
Summary: sudo -U <user> listing shows incorrect list when sssd is used.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sudo
Version: 6.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Daniel Kopeček
QA Contact: David Spurek
URL:
Whiteboard:
Depends On:
Blocks: 1147557
TreeView+ depends on / blocked
 
Reported: 2013-09-10 16:18 UTC by Najmuddin Chirammal
Modified: 2018-12-09 17:12 UTC (History)
6 users (show)

Fixed In Version: sudo-1.8.6p3-13.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1147557 (view as bug list)
Environment:
Last Closed: 2014-10-14 06:45:55 UTC
Target Upstream Version:

Attachments (Terms of Use)
proposed patch (807 bytes, patch)
2014-05-21 11:18 UTC, Daniel Kopeček 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1484 0 normal SHIPPED_LIVE sudo bug fix update 2014-10-14 01:28:34 UTC

Description Najmuddin Chirammal 2013-09-10 16:18:41 UTC 
Description of problem:

As root, if I try to list the rules allowed for a user, then it returns incorrect/incomplete list. 
Running sudo -l as normal user returns correct results.

For example: 

As root: 

# sudo -l -U luser1
User luser1 may run the following commands on this host:
    (ALL) /bin/fdisk

As normal user: 

$ sudo -l
User luser1 may run the following commands on this host:
    (ALL) /bin/fdisk
    (ALL) /usr/bin/passwd

Version-Release number of selected component : sudo-1.8.6p3-8.el6.x86_64.rpm


How reproducible: Always


Steps to Reproduce:
1. Configure nsswitch to use sudo rules from SSSD.
2. Try to list the rules allowed using a netgroup membership.
3. 

Actual results: 'sudo -U -l' try to match the netgroup entry with 'root' username instead of the actual user, and the rules allowed via netgroup are 
missing.

Expected results: 'sudo -U -l' lists all rules.


Additional info: 

- The rules are listed properly if 'ldap' is used instead of 'sss'

Sudo Debug logs: 

As root: 

Sep 10 21:32:43 sudo[30288] -> netgr_matches @ ./match.c:720
Sep 10 21:32:43 sudo[30288] <- netgr_matches @ ./match.c:724 := false
Sep 10 21:32:43 sudo[30288] -> netgr_matches @ ./match.c:720
Sep 10 21:32:43 sudo[30288] (*, root, (none)) NOT found in netgroup ng1 <======
Sep 10 21:32:43 sudo[30288] (*, root, (none)) NOT found in netgroup ng1
Sep 10 21:32:43 sudo[30288] <- netgr_matches @ ./match.c:772 := false
Sep 10 21:32:43 sudo[30288] -> netgr_matches @ ./match.c:720
Sep 10 21:32:43 sudo[30288] (*, root, (none)) NOT found in netgroup admin
Sep 10 21:32:43 sudo[30288] (*, root, (none)) NOT found in netgroup admin
Sep 10 21:32:43 sudo[30288] <- netgr_matches @ ./match.c:772 := false

As luser1 : 

Sep 10 21:32:48 sudo[30295] -> netgr_matches @ ./match.c:720
Sep 10 21:32:48 sudo[30295] <- netgr_matches @ ./match.c:724 := false
Sep 10 21:32:48 sudo[30295] -> netgr_matches @ ./match.c:720
Sep 10 21:32:48 sudo[30295] (*, luser1, (none)) found in netgroup ng1  <======
Sep 10 21:32:48 sudo[30295] <- netgr_matches @ ./match.c:772 := true
Sep 10 21:32:48 sudo[30295] -> netgr_matches @ ./match.c:720
Sep 10 21:32:48 sudo[30295] (*, luser1, (none)) NOT found in netgroup admin
Sep 10 21:32:48 sudo[30295] (*, luser1, (none)) NOT found in netgroup admin
Sep 10 21:32:48 sudo[30295] <- netgr_matches @ ./match.c:772 := false
Sep 10 21:32:48 sudo[30295] -> netgr_matches @ ./match.c:720
Sep 10 21:32:48 sudo[30295] <- netgr_matches @ ./match.c:724 := false
Sep 10 21:32:48 sudo[30295] -> netgr_matches @ ./match.c:720
Sep 10 21:32:48 sudo[30295] (*, luser1, (none)) found in netgroup ng1
Sep 10 21:32:48 sudo[30295] <- netgr_matches @ ./match.c:772 := true
Sep 10 21:32:48 sudo[30295] -> netgr_matches @ ./match.c:720
Sep 10 21:32:48 sudo[30295] (*, luser1, (none)) NOT found in netgroup admin
Sep 10 21:32:48 sudo[30295] (*, luser1, (none)) NOT found in netgroup admin
Sep 10 21:32:48 sudo[30295] <- netgr_matches @ ./match.c:772 := false


------------------------------

With 'ldap' (working)

As root: 

Sep 10 21:44:32 sudo[30330] -> netgr_matches @ ./match.c:720
Sep 10 21:44:32 sudo[30330] (*, root, (none)) NOT found in netgroup ng1
Sep 10 21:44:32 sudo[30330] (*, root, (none)) NOT found in netgroup ng1
Sep 10 21:44:32 sudo[30330] <- netgr_matches @ ./match.c:772 := false
Sep 10 21:44:32 sudo[30330] -> netgr_matches @ ./match.c:720
Sep 10 21:44:32 sudo[30330] (*, root, (none)) NOT found in netgroup admin
Sep 10 21:44:32 sudo[30330] (*, root, (none)) NOT found in netgroup admin
Sep 10 21:44:32 sudo[30330] <- netgr_matches @ ./match.c:772 := false
Sep 10 21:44:32 sudo[30330] -> netgr_matches @ ./match.c:720
Sep 10 21:44:32 sudo[30330] (*, luser1, (none)) found in netgroup ng1
Sep 10 21:44:32 sudo[30330] <- netgr_matches @ ./match.c:772 := true
Sep 10 21:44:32 sudo[30330] -> netgr_matches @ ./match.c:720
Sep 10 21:44:32 sudo[30330] (*, luser1, (none)) NOT found in netgroup admin
Sep 10 21:44:32 sudo[30330] (*, luser1, (none)) NOT found in netgroup admin
Sep 10 21:44:32 sudo[30330] <- netgr_matches @ ./match.c:772 := false
Comment 3 Daniel Kopeček 2014-05-21 11:18:43 UTC 
Created attachment 897919 [details]
proposed patch
Comment 8 errata-xmlrpc 2014-10-14 06:45:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1484.html
Note You need to log in before you can comment on or make changes to this bug.