Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionKaushik Banerjee
2014-04-16 18:26:47 UTC
Description of problem:
sudoNotBefore time is not always respected
Version-Release number of selected component (if applicable):
1.11.2-65
How reproducible:
Very often
Steps to Reproduce:
1. On the ldapserver:
ldapsearch -xv -h ldapserver -b "dc=example,dc=com" cn=test
dn: cn=test,ou=Sudoers,dc=example,dc=com
objectClass: top
objectClass: sudoRole
sudoHost: ALL
sudoCommand: ALL
sudoUser: ALL
cn: test
sudoRunAsUser: ALL
sudoNotBefore: 20140409090729-0400
2. On the client:
# date +'%Y%m%d%H%M%S%z'
20140409092740-0400 <== Which is way past the sudoNotBefore time
3. Try to sudo to a user.
# su user1 -c "sudo -u user2 ${*-true}"
user1 is not allowed to run sudo on client. This incident will be reported.
Actual results:
sudo access is denied
Expected results:
sudo should work
Additional info:
Thank you for filing this bug report.
Since fixing this bug requires work in the upstream SSSD project which is not scheduled for the immediate future, I added a conditional development nack, pending upstream availability.
The attribute Test cases are failing due to this bug. As this is low priority bug and no customer has implemented this. Could you confirm whether there are plans to fix it? If there is no plan to fix it then could this bug be closed with proper justification, so that we could remove the related test-cases.
(In reply to shridhar from comment #5)
> The attribute Test cases are failing due to this bug. As this is low
> priority bug and no customer has implemented this. Could you confirm whether
> there are plans to fix it? If there is no plan to fix it then could this bug
> be closed with proper justification, so that we could remove the related
> test-cases.
I don't think we plan on fixing this and I agree that with that in mind, it would be fair to close this bug as WONTFIX or UPSTREAM.
(In reply to Jakub Hrozek from comment #6)
> (In reply to shridhar from comment #5)
> I don't think we plan on fixing this and I agree that with that in mind, it
> would be fair to close this bug as WONTFIX or UPSTREAM.
As you mentioned above, kindly close this bug as WONTFIX so that I could proceed with archiving of related testcases.
Comment 8Fabiano FidĂȘncio
2017-08-01 07:37:05 UTC
As per comment 6, I'm closing this bug as WONTFIX.
Description of problem: sudoNotBefore time is not always respected Version-Release number of selected component (if applicable): 1.11.2-65 How reproducible: Very often Steps to Reproduce: 1. On the ldapserver: ldapsearch -xv -h ldapserver -b "dc=example,dc=com" cn=test dn: cn=test,ou=Sudoers,dc=example,dc=com objectClass: top objectClass: sudoRole sudoHost: ALL sudoCommand: ALL sudoUser: ALL cn: test sudoRunAsUser: ALL sudoNotBefore: 20140409090729-0400 2. On the client: # date +'%Y%m%d%H%M%S%z' 20140409092740-0400 <== Which is way past the sudoNotBefore time 3. Try to sudo to a user. # su user1 -c "sudo -u user2 ${*-true}" user1 is not allowed to run sudo on client. This incident will be reported. Actual results: sudo access is denied Expected results: sudo should work Additional info: