Bug 1138581 - sudo with sssd doesn't work correctly with sudoOrder option
Summary: sudo with sssd doesn't work correctly with sudoOrder option
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sudo
Version: 6.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Daniel Kopeček
QA Contact: Dalibor Pospíšil
URL:
Whiteboard:
Depends On: 1138576 1232950 1247997
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-09-05 08:55 UTC by David Spurek
Modified: 2015-07-29 12:18 UTC (History)
6 users (show)

Fixed In Version: sudo-1.8.6p3-16.el6
Doc Type: Bug Fix
Doc Text:
Cause: The implementation of SSSD support in sudo wasn't sorting the rules according to the sudoOrder attribute value Consequence: Rules processed in undefined order even if the sudoOrder attribute was present. Fix: Implemented sorting by the sudoOrder attribute value. Result: Rules are sorted in a defined order (as described in the documentation)
Clone Of: 1138576
Environment:
Last Closed: 2015-07-22 07:36:04 UTC
Target Upstream Version:

Attachments (Terms of Use)
proposed patch (5.08 KB, patch)
2015-03-02 09:33 UTC, Daniel Kopeček 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:1409 0 normal SHIPPED_LIVE Moderate: sudo security, bug fix, and enhancement update 2015-07-20 18:06:58 UTC

Description David Spurek 2014-09-05 08:55:06 UTC 
The same problem in rhel6, tested with sudo-1.8.6p3-15.el6 and sssd-1.11.6-28.el6
+++ This bug was initially created as a clone of Bug #1138576 +++

Description of problem:
sudo with sssd doesn't  work correctly with sudoOrder option. rule with the highest value in sudoOrder parameter should be used.

dn: cn=rule_allow,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: rule_allow
sudoHost: ALL
sudoUser: userallowed
sudoCommand: /usr/bin/true
sudoOrder: 2

dn: cn=rule_deny,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: rule_deny
sudoHost: ALL
sudoUser: userallowed
sudoCommand: !/usr/bin/true
sudoCommand: ALL
sudoOrder: 1

[test]su - userallowed -c 'sudo true'su: warning: cannot change directory to /home/userallowed: No such file or directory
Sorry, user userallowed is not allowed to execute '/bin/true' as root on rhel7.example.com. 


Version-Release number of selected component (if applicable):
sudo-1.8.6p7-11.el7
sssd-1.11.2-65.el7

How reproducible:
always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Daniel Kopeček 2015-02-24 13:52:31 UTC 
Ok, this one looks like a real bug from the logs. Easily fixable.
Comment 4 Daniel Kopeček 2015-03-02 09:33:30 UTC 
Created attachment 997008 [details]
proposed patch
Comment 7 errata-xmlrpc 2015-07-22 07:36:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1409.html
Note You need to log in before you can comment on or make changes to this bug.