Bug 1118336 - sudo: invalid sudoHost filter with asterisk
Summary: sudo: invalid sudoHost filter with asterisk
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks: 1118339
TreeView+ depends on / blocked
 
Reported: 2014-07-10 13:08 UTC by Dmitri Pal
Modified: 2014-10-14 04:48 UTC (History)
9 users (show)

Fixed In Version: sssd-1.11.6-16.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1118339 (view as bug list)
Environment:
Last Closed: 2014-10-14 04:48:58 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1375 normal SHIPPED_LIVE sssd bug fix and enhancement update 2014-10-14 01:06:25 UTC

Description Dmitri Pal 2014-07-10 13:08:04 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2377


{{{
(sudoHost=*\**) should be replaced with (sudoHost=*\2A*)
}}}
 according to rfc http://tools.ietf.org/html/rfc4515, otherwise the filter is invalid.

Comment 1 Jakub Hrozek 2014-07-29 13:44:29 UTC
Fixed upstream:
    master:
        8c4abd227035169e75cb081424765e65c52b5266 
    sssd-1-11:
        552f9bc07d15c371090a5514bb1821a7e4505203

Comment 3 Nirupama Karandikar 2014-09-10 08:07:02 UTC
Hello,

Could you please provide steps to reproduce the issue.

Thanks,

Nirupama

Comment 4 Jakub Hrozek 2014-09-10 12:19:30 UTC
I would only perform regression testing for sudo. The servers we ship in RHEL didn't exhibit the issue.

Comment 5 Nirupama Karandikar 2014-09-11 08:48:49 UTC
Tested with sssd-1.11.6-29.el6.x86_64

1. Configure sssd with "sudo_provider = ldap". Restart sssd service.

2. From /var/log/sssd/sssd_LDAP.log

(Thu Sep 11 14:18:02 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(objectClass=sudoRole)(|(!(sudoHost=*))(sudoHost=ALL)(sudoHost=dhcp207-31.lab.eng.pnq.redhat.com)(sudoHost=dhcp207-31)(sudoHost=10.65.207.31)(sudoHost=10.65.206.0/23)(sudoHost=fe80::5054:ff:feec:c24a)(sudoHost=fe80::/64)(sudoHost=+*)(|(sudoHost=*\\*)(sudoHost=*?*)(sudoHost=*\2A*)(sudoHost=*[*]*))))][dc=example,dc=com].

The "(sudoHost=*\2A*)" with older version has "(sudoHost=*\**)" in the domain logs.

Comment 6 errata-xmlrpc 2014-10-14 04:48:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html


Note You need to log in before you can comment on or make changes to this bug.