1657496 – sudo ipa_hostname not honored

Bug 1657496 - sudo ipa_hostname not honored

Summary: sudo ipa_hostname not honored

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	sudo
Sub Component:
Version:	29
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Radovan Sroka
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1738662
TreeView+	depends on / blocked

Reported:	2018-12-09 15:58 UTC by Magnus W
Modified:	2019-08-16 12:12 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1738662 (view as bug list)
Environment:
Last Closed:	2019-08-16 12:12:14 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Magnus W 2018-12-09 15:58:05 UTC

Description of problem:

Failure to sudo after upgrading to sudo-1.8.25-1.fc29.x86_64 (from sudo-1.8.23-3.fc29.x86_64). The setup is using
FreeIPA and sssd with configured sudo rules based on hostnames. The "ipa_hostname" option in sssd.conf is expected to override the machine's hostname when doing host matching.     

Version-Release number of selected component (if applicable):

sudo-1.8.25-1.fc29.x86_64
sssd-2.0.0-4.fc29.x86_64

How reproducible:

always

Steps to Reproduce:

1. Add "sudoers: files sss" in /etc/nsswitch.conf

2. Add the following lines in /etc/sssd/sssd.conf:

	[domain/example.com]

	id_provider = ipa
	ipa_server = _srv_, ipaserver.example.com
	ipa_domain = example.com
	ipa_hostname = client01.example.com
	auth_provider = ipa
	chpass_provider = ipa
	access_provider = ipa
	cache_credentials = True
	ldap_tls_cacert = /etc/ipa/ca.crt
	krb5_store_password_if_offline = True
	[sssd]
	services = nss, pam, ssh, sudo
	domains = example.com
	...
3. Configure sudo rules on ipaserver.example.com to allow sudo for user01 only on server 'client01.example.com'

4. 	[user01@client01]# hostname
	client01

Actual results:

   [user01@client01]# sudo -l
   Sorry, user user01 may not run sudo on client01.
  

Expected results:

sudo should honor the ipa_hostname value when the sss backend is used.

The following is logged when enabling sudo debug-logs:

Dec  8 17:16:47 sudo[2366] ipa_hostname client01.example.com overrides client01
Dec  8 17:16:47 sudo[2366] <- get_ipa_hostname @ ./sssd.c:158 := 1
...
Dec  8 17:16:47 sudo[2366] host client01 matches sudoers pattern client01.example.com: false @ hostname_matches() ./match.c:1013
...

Even though the ipa_hostname override is picked up by sudo, it doesn't seem to be used when matching against the host rules provided by sssd.

When downgrading to sudo-1.8.23-3.fc29.x86_64 (everything else is the same on the system), the logs instead shows:

host client01.example.com matches sudoers pattern client01.example.com: true @ hostname_matches() ./match.c:997
Dec  8 20:09:42 sudo[25342] <- hostname_matches @ ./match.c:998 := true
Dec  8 20:09:42 sudo[25342] sssd/ldap sudoHost 'client01.example.com' ... MATCH!

..and the sudo is successful.

Something might be incorrect with my configuration, but it seems that sudo 1.8.23 and 1.8.25 behaves differently here.

Comment 2 Radovan Sroka 2019-08-16 12:12:14 UTC

Fixed in:

https://www.sudo.ws/repos/sudo/rev/b4f31dbe3109

Note You need to log in before you can comment on or make changes to this bug.