Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1511850 - Setting empty sudoers_search_filter via sudo-ldap.conf generates an invalid LDAP query filter
Setting empty sudoers_search_filter via sudo-ldap.conf generates an invalid L...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sudo (Show other bugs)
7.4
All Unspecified
medium Severity medium
: rc
: ---
Assigned To: Daniel Kopeček
Dalibor Pospíšil
: Patch, Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-11-10 05:00 EST by Daniel Kopeček
Modified: 2018-04-10 10:44 EDT (History)
4 users (show)

See Also:
Fixed In Version: sudo-1.8.19p2-13.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 10:44:23 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
filter patch (852 bytes, patch)
2017-11-16 06:43 EST, Radovan Sroka 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0824 None None None 2018-04-10 10:44 EDT

  None (edit)
Description Daniel Kopeček 2017-11-10 05:00:38 EST 
Description of problem:
https://www.sudo.ws/pipermail/sudo-workers/2017-August/001113.html

How reproducible:
Always

Steps to Reproduce:
1. Configure sudo to use LDAP source for sudoers in nsswitch.conf
2. Set SUDOERS_SEARCH_FILTER without a value in sudo-ldap.conf
3. Set SUDOERS_DEBUG to enable LDAP code debugging messages
4. Try sudo ls or something

Actual results:
--- snip ---
sudo: ldap search '(sudoUser=*)(sudoUser=+*)'
sudo: searching from base 'ou=SUDOers,dc=localhost,dc=localdomain'
sudo: ldap search pass 2 failed: Bad search filter
--- snip ---

Expected results:
Correct LDAP query filter passedto LDAP API

Additional info:
Upstream fix:
https://github.com/millert/sudo/commit/5cdee2c2c070081da38cf8014390887cd119920d
Comment 2 Radovan Sroka 2017-11-16 06:43 EST 
Created attachment 1353435 [details]
filter patch
Comment 6 Dalibor Pospíšil 2018-01-02 10:35:50 EST 
OLD sudo-1.8.19p2-11.el7
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   test SUDOERS_SEARCH_FILTER, provider ldap
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 16:15:06 ] :: [   INFO   ] :: using '/var/tmp/beakerlib-dGwVR9a/backup-SUDOERS_SEARCH_FILTER' as backup destination
:: [ 16:15:07 ] :: [   PASS   ] :: Command 'rlFileBackup --namespace SUDOERS_SEARCH_FILTER --clean /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:15:07 ] :: [   PASS   ] :: Command 'sed -i '/SUDOERS_TIMED/Id' /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:15:07 ] :: [   PASS   ] :: Command 'sed -i '/SUDOERS_DEBUG/Id' /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:15:07 ] :: [   PASS   ] :: Command 'sed -i '/SUDOERS_SEARCH_FILTER/Id' /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:15:07 ] :: [   PASS   ] :: Command 'echo 'SUDOERS_DEBUG 1' >> /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:15:08 ] :: [   PASS   ] :: Command 'su - userallowed -c 'sudo true'' (Expected 0, got 0)
:: [ 16:15:08 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.mkUoinw3' should contain 'sudo: ldap search.*objectClass=sudoRole.*sudoUser=\*.*sudoUser=\+\*' 
:: [ 16:15:08 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.mkUoinw3' should contain 'sudo: ldap search.*objectClass=sudoRole.*sudoUser=userallowed' 
:: [ 16:15:08 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.mkUoinw3' should not contain 'sudo: ldap search pass 2 failed: Bad search filter' 
:: [ 16:15:08 ] :: [   PASS   ] :: Command 'echo 'SUDOERS_SEARCH_FILTER' >> /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:15:08 ] :: [   PASS   ] :: Command 'su - userallowed -c 'sudo true'' (Expected 0, got 0)
:: [ 16:15:09 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.wsSoryDy' should not contain 'sudo: ldap search.*objectClass=sudoRole' 
:: [ 16:15:09 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.wsSoryDy' should contain 'sudo: ldap search.*sudoUser=\*.*sudoUser=\+\*' 
:: [ 16:15:09 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.wsSoryDy' should contain 'sudo: ldap search.*sudoUser=userallowed' 
:: [ 16:15:09 ] :: [   FAIL   ] :: File '/var/tmp/rlRun_LOG.wsSoryDy' should not contain 'sudo: ldap search pass 2 failed: Bad search filter' 
:: [ 16:23:31 ] :: [   PASS   ] :: Command 'rlFileRestore --namespace SUDOERS_SEARCH_FILTER' (Expected 0, got 0)
________________________________________________________________________________
:: [ 16:23:31 ] :: [   LOG    ] :: Duration: 505s
:: [ 16:23:31 ] :: [   LOG    ] :: Assertions: 15 good, 1 bad
:: [ 16:23:31 ] :: [   FAIL   ] :: RESULT: test SUDOERS_SEARCH_FILTER, provider ldap



NEW sudo-1.8.19p2-13.el7:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   test SUDOERS_SEARCH_FILTER, provider ldap
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 16:28:03 ] :: [   INFO   ] :: using '/var/tmp/beakerlib-yhENxsp/backup-SUDOERS_SEARCH_FILTER' as backup destination
:: [ 16:28:03 ] :: [   PASS   ] :: Command 'rlFileBackup --namespace SUDOERS_SEARCH_FILTER --clean /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:28:03 ] :: [   PASS   ] :: Command 'sed -i '/SUDOERS_TIMED/Id' /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:28:03 ] :: [   PASS   ] :: Command 'sed -i '/SUDOERS_DEBUG/Id' /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:28:03 ] :: [   PASS   ] :: Command 'sed -i '/SUDOERS_SEARCH_FILTER/Id' /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:28:04 ] :: [   PASS   ] :: Command 'echo 'SUDOERS_DEBUG 1' >> /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:28:04 ] :: [   PASS   ] :: Command 'su - userallowed -c 'sudo true'' (Expected 0, got 0)
:: [ 16:28:04 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.Ct1PyCfk' should contain 'sudo: ldap search.*objectClass=sudoRole.*sudoUser=\*.*sudoUser=\+\*' 
:: [ 16:28:04 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.Ct1PyCfk' should contain 'sudo: ldap search.*objectClass=sudoRole.*sudoUser=userallowed' 
:: [ 16:28:04 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.Ct1PyCfk' should not contain 'sudo: ldap search pass 2 failed: Bad search filter' 
:: [ 16:28:04 ] :: [   PASS   ] :: Command 'echo 'SUDOERS_SEARCH_FILTER' >> /etc/sudo-ldap.conf' (Expected 0, got 0)
:: [ 16:28:05 ] :: [   PASS   ] :: Command 'su - userallowed -c 'sudo true'' (Expected 0, got 0)
:: [ 16:28:05 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.hJWJ2PhG' should not contain 'sudo: ldap search.*objectClass=sudoRole' 
:: [ 16:28:05 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.hJWJ2PhG' should contain 'sudo: ldap search.*sudoUser=\*.*sudoUser=\+\*' 
:: [ 16:28:05 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.hJWJ2PhG' should contain 'sudo: ldap search.*sudoUser=userallowed' 
:: [ 16:28:05 ] :: [   PASS   ] :: File '/var/tmp/rlRun_LOG.hJWJ2PhG' should not contain 'sudo: ldap search pass 2 failed: Bad search filter' 
:: [ 16:28:26 ] :: [   PASS   ] :: Command 'rlFileRestore --namespace SUDOERS_SEARCH_FILTER' (Expected 0, got 0)
________________________________________________________________________________
:: [ 16:28:26 ] :: [   LOG    ] :: Duration: 23s
:: [ 16:28:26 ] :: [   LOG    ] :: Assertions: 16 good, 0 bad
:: [ 16:28:26 ] :: [   PASS   ] :: RESULT: test SUDOERS_SEARCH_FILTER, provider ldap
Comment 9 errata-xmlrpc 2018-04-10 10:44:23 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0824
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.