Bug 1348672 - sudo disallowed when a FreeIPA rule should allow it by host group, since 1.8.16
Summary: sudo disallowed when a FreeIPA rule should allow it by host group, since 1.8.16
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: sudo
Version: 24
Hardware: x86_64
OS: All
unspecified
high
Target Milestone: ---
Assignee: Daniel Kopeček
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-21 17:43 UTC by Adam Williamson
Modified: 2016-06-26 20:54 UTC (History)
5 users (show)

Fixed In Version: sudo-1.8.17p1-1.fc24
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-26 20:54:10 UTC


Attachments (Terms of Use)

Description Adam Williamson 2016-06-21 17:43:21 UTC
I think this bug was caused by this upstream change:

https://bugzilla.sudo.ws/show_bug.cgi?id=717

So, I have a FreeIPA setup with sudo rules enabled. I have a rule configured in FreeIPA which says 'allow the user adamw to sudo on any machine in the group adam-machines'.

If I try to sudo on a machine in that group with sudo 1.8.15, it works. If I try on a machine with sudo 1.8.16, it fails.

Here is the difference in the logs:

1.8.15:

Jun 21 10:34:31 sudo[3297] val[0]=+adam-machines
Jun 21 10:34:31 sudo[3297] -> addr_matches @ ./match_addr.c:195
Jun 21 10:34:31 sudo[3297] -> addr_matches_if @ ./match_addr.c:56
Jun 21 10:34:31 sudo[3297] <- addr_matches_if @ ./match_addr.c:66 := false
Jun 21 10:34:31 sudo[3297] IP address +adam-machines matches local host: false @ addr_matches() ./match_addr.c:206
Jun 21 10:34:31 sudo[3297] <- addr_matches @ ./match_addr.c:207 := false
Jun 21 10:34:31 sudo[3297] -> netgr_matches @ ./match.c:972
Jun 21 10:34:31 sudo[3297] -> sudo_getdomainname @ ./match.c:910
Jun 21 10:34:31 sudo[3297] <- sudo_getdomainname @ ./match.c:949 := (null)
Jun 21 10:34:31 sudo[3297] netgroup adam-machines matches (xps13.happyassassin.net|xps13, , ): true @ netgr_matches() ./match.c:998
Jun 21 10:34:31 sudo[3297] <- netgr_matches @ ./match.c:1001 := true

1.8.16:

Jun 21 10:26:17 sudo[2935] val[0]=+adam-machines
Jun 21 10:26:17 sudo[2935] -> addr_matches @ ./match_addr.c:195
Jun 21 10:26:17 sudo[2935] -> addr_matches_if @ ./match_addr.c:56
Jun 21 10:26:17 sudo[2935] <- addr_matches_if @ ./match_addr.c:66 := false
Jun 21 10:26:17 sudo[2935] IP address +adam-machines matches local host: false @ addr_matches() ./match_addr.c:206
Jun 21 10:26:17 sudo[2935] <- addr_matches @ ./match_addr.c:207 := false
Jun 21 10:26:17 sudo[2935] -> netgr_matches @ ./match.c:1015
Jun 21 10:26:17 sudo[2935] -> sudo_getdomainname @ ./match.c:953
Jun 21 10:26:17 sudo[2935] <- sudo_getdomainname @ ./match.c:992 := (null)
Jun 21 10:26:17 sudo[2935] netgroup adam-machines matches (xps13.happyassassin.net|xps13, adamw, ): false @ netgr_matches() ./match.c:1041
Jun 21 10:26:17 sudo[2935] <- netgr_matches @ ./match.c:1044 := false

note the difference in the triplet that's checked. For 1.8.15 it's "(xps13.happyassassin.net|xps13, , )". For 1.8.16 it's "(xps13.happyassassin.net|xps13, adamw, )".

If I add a test FreeIPA rule allowing access directly to the specific host (rather than using a FreeIPA host group), sudo works. So this is definitely to do with the host group.

Comment 1 Adam Williamson 2016-06-21 18:18:21 UTC
It seems like sudo 1.8.17 fixes this. I did a test build of it and sudo works again. Log looks like this:

Jun 21 11:10:38 sudo[3834] val[0]=+adam-machines
Jun 21 11:10:38 sudo[3834] -> addr_matches @ ./match_addr.c:195
Jun 21 11:10:38 sudo[3834] -> addr_matches_if @ ./match_addr.c:56
Jun 21 11:10:38 sudo[3834] <- addr_matches_if @ ./match_addr.c:66 := false
Jun 21 11:10:38 sudo[3834] IP address +adam-machines matches local host: false @ addr_matches() ./match_addr.c:206
Jun 21 11:10:38 sudo[3834] <- addr_matches @ ./match_addr.c:207 := false
Jun 21 11:10:38 sudo[3834] -> netgr_matches @ ./match.c:1039
Jun 21 11:10:38 sudo[3834] -> sudo_getdomainname @ ./match.c:977
Jun 21 11:10:38 sudo[3834] <- sudo_getdomainname @ ./match.c:1016 := (null)
Jun 21 11:10:38 sudo[3834] netgroup adam-machines matches (xps13.happyassassin.net|xps13, , ): true @ netgr_matches() ./match.c:1065
Jun 21 11:10:38 sudo[3834] <- netgr_matches @ ./match.c:1068 := true

so it's gone back to checking just the hostname (the user no longer appears in the triplet). I do see some relevant-looking changes in plugins/sudoers/sssd.c and plugins/sudoers/match.c upstream, so it makes sense.

Comment 2 Adam Williamson 2016-06-21 18:47:39 UTC
Aha. The specific upstream fix is this commit:

https://github.com/millert/sudo/commit/ccf88d3bb22fbb9804fd66bd4fb4ab6c168b10f4

before that commit, sudo_sss_check_host was unconditionally throwing the username into the netgr_matches call (which is incorrect); after the commit, it only includes it if netgroup_tuple is enabled (which by default it is not).

The netgroup_tuple thing was the feature added to address bug #717 in 1.8.16 . It looks like in the initial commit to add that feature:

https://github.com/millert/sudo/commit/5a77989a33ee8f27349aec831603fcd55cce159c

most calls to netgr_matches were changed to use a ternary to specify username if def_netgroup_tuple is true, but the netgr_matches call in sudo_sss_check_host was just changed to specify username unconditionally, and ccf88d3 fixes that.

Comment 3 Daniel Kopeček 2016-06-22 08:21:52 UTC
(In reply to Adam Williamson from comment #1)
> It seems like sudo 1.8.17 fixes this. I did a test build of it and sudo
> works again. Log looks like this:

Great, thanks for the triage. I'm preparing an update to 1.8.17. Once I have a patch for #1348533, I'll push the update.

Comment 4 Adam Williamson 2016-06-24 15:23:44 UTC
Can you please fix F24 as well? It has 1.8.16 as well.

Comment 5 Fedora Update System 2016-06-25 10:55:58 UTC
sudo-1.8.17p1-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-c102e92ca1

Comment 6 Fedora Update System 2016-06-26 00:26:48 UTC
sudo-1.8.17p1-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c102e92ca1

Comment 7 Fedora Update System 2016-06-26 20:54:07 UTC
sudo-1.8.17p1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.