Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1144419 - sudo with ldap/sssd doesn't respect env_keep,env_check and env_delete variables in sudoOption
sudo with ldap/sssd doesn't respect env_keep,env_check and env_delete variabl...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sudo (Show other bugs)
7.0
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: Daniel Kopeček
Dalibor Pospíšil
:
Depends On:
Blocks: 1205796 1144422
  Show dependency treegraph
 
Reported: 2014-09-19 06:54 EDT by David Spurek
Modified: 2015-11-19 07:58 EST (History)
4 users (show)

See Also:
Fixed In Version: sudo-1.8.6p7-14.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1144422 (view as bug list)
Environment:
Last Closed: 2015-11-19 07:58:38 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
proposed patch (5.63 KB, patch)
2015-07-07 08:36 EDT, Daniel Kopeček 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:2424 normal SHIPPED_LIVE sudo bug fix and enhancement update 2015-11-19 06:21:57 EST

  None (edit)
Description David Spurek 2014-09-19 06:54:02 EDT 
Description of problem:
sudo with ldap/sssd doesn't respect env_keep,env_check and env_delete variables in sudoOption

#### env_check ####
I have following sudoers entries in ldap:

dn: cn=defaults,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
sudoOption: !authenticate
sudoOption: !requiretty
sudoOption: env_file=/tmp/envfile
sudoOption: env_check="TESTVAR CHECKVAR"
cn: defaults

dn: cn=rule1,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: rule1
sudoHost: ALL
sudoUser: userallowed
sudoCommand: ALL

[test]su - userallowed -c 'sudo env'
su: warning: cannot change directory to /home/userallowed: No such file or directory
HOSTNAME=rhel7.example.com
PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin
SHELL=/bin/bash
MAIL=/var/mail/root
LOGNAME=root
USER=root
USERNAME=root
HOME=/root
TERM=unknown
SUDO_COMMAND=/bin/env
SUDO_USER=userallowed
SUDO_UID=10001
SUDO_GID=20001
TESTVAR=%spec
CHECKVAR=/path

TESTVAR and CHECKVAR variables shouldn't be in the list


#### env_delete ####
I have following sudoers entries in ldap:

dn: cn=defaults,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
sudoOption: !authenticate
sudoOption: !requiretty
sudoOption: !env_reset
sudoOption: env_file=/tmp/envfile
sudoOption: env_delete="TESTVAR CHECKVAR"
cn: defaults

dn: cn=rule1,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: rule1
sudoHost: ALL
sudoUser: userallowed
sudoCommand: ALL


[test]su - userallowed -c 'sudo env'su: warning: cannot change directory to /home/userallowed: No such file or directory
XDG_SESSION_ID=321
HOSTNAME=rhel7.example.com
SHELL=/bin/bash
TERM=xterm-256color
HISTSIZE=1000
USER=root
MAIL=/var/spool/mail/userallowed
PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin
PWD=/tmp/tmp.5Mn1pNEi1O
LANG=en_US.UTF-8
HISTCONTROL=ignoredups
SHLVL=1
HOME=/home/userallowed
LOGNAME=root
LESSOPEN=||/usr/bin/lesspipe.sh %s
_=/bin/sudo
USERNAME=root
SUDO_COMMAND=/bin/env
SUDO_USER=userallowed
SUDO_UID=10001
SUDO_GID=20001
TESTVAR=spec
CHECKVAR=path
NEXTVAR=var

TESTVAR and CHECKVAR variables shouldn't be in the list

#### env_keep ####
I have following sudoers entries in ldap:

dn: cn=defaults,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
sudoOption: !authenticate
sudoOption: !requiretty
sudoOption: env_reset
sudoOption: env_file=/tmp/envfile
sudoOption: env_keep="TESTVAR CHECKVAR"
cn: defaults

dn: cn=rule1,ou=Sudoers,dc=my-domain,dc=com
objectClass: top
objectClass: sudoRole
cn: rule1
sudoHost: ALL
sudoUser: userallowed
sudoCommand: ALL

[test]su - userallowed -c 'sudo env'
su: warning: cannot change directory to /home/userallowed: No such file or directory
TERM=xterm-256color
LANG=en_US.UTF-8
SHELL=/bin/bash
MAIL=/var/mail/root
LOGNAME=root
USER=root
USERNAME=root
HOME=/root
PATH=/usr/bin:/bin:/usr/sbin:/sbin
SUDO_COMMAND=/bin/env
SUDO_USER=userallowed
SUDO_UID=10001
SUDO_GID=20001
TESTVAR=spec
CHECKVAR=path
NEXTVAR=var


NEXTVAR variable shouldn't be in the list

Version-Release number of selected component (if applicable):
sudo-1.8.6p7-11.el7

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Daniel Kopeček 2015-07-07 08:36:11 EDT 
Created attachment 1049275 [details]
proposed patch
Comment 16 errata-xmlrpc 2015-11-19 07:58:38 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2424.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.